OneIM AzureActiveDirectory Administration

One Identity Manager 8.
Administration Guide for Connecting

to Azure Active Directory
Copyright 2017 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide
is furnished under a software license or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the written permission of
One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no
representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity do not make any commitment to update the information contained
in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal. All other trademarks are the property of their
respective owners.
Legend
WARNING: A WARNING icon indicates a potential for property damage,

personal injury, or death.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss

of data if instructions are not followed.
IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting

information.
One Identity Manager Administration Guide for Connecting to Azure Active Directory
Updated - November 2017
Version - 8.0
Contents
Managing Azure Active Directory Environments 8

Architecture Overview 8
One Identity Manager Users for Managing an Azure Active Directory System 9
Setting Up Synchronization with an Azure Active Directory Tenant 12

Users and Permissions for Synchronizing with Azure Active Directory 13
Integrating One Identity Manager into Azure Active Directory as an Application 14
Setting Up the Synchronization Server 15
Creating a Synchronization Project for initial Synchronization of an Azure Active
Directory Tenant 18
Show Synchronization Results 24
Customizing Synchronization Configuration 25
Configuring Synchronization with Azure Active Directory Tenants 27
Configuring Synchronization of Different Azure Active Directory Tenants 27
Updating Schemas 28
Post-Processing Outstanding Objects 29
Configuring Memberships Provisioning 31
Help for Analyzing Synchronization Issues 32
Deactivating Synchronization 32
Base Data for Managing Azure Active Directory 34

Setting Up Account Definitions 35
Creating an Account Definition 36
Master Data for an Account Definition 36
Setting Up Manage Levels 38
Master Data for a Manage Level 40
Creating a Formatting Rule for IT Operating Data 41
Determining IT Operating Data 42
Modifying IT Operating Data 44
Assigning Account Definitions to Employees 45
Assigning Account Definitions to Departments, Cost Centers and Locations 46
Assigning Account Definitions to Business Roles 46
Assigning Account Definitions to all Employees 47
One Identity Manager 8.0 Administration Guide for Connecting to

Azure Active Directory
3
Assigning Account Definitions Directly to Employees 48
Assigning Account Definitions to System Roles 48
Adding Account Definitions in the IT Shop 49
Assigning Account Definitions to a Target System 50
Deleting an Account Definition 51
Password Policies 53
Predefined Password Policies 53
Editing Password Policies 54
General Master Data for a Password Policy 54
Policy Settings 55
Character Sets for Passwords 56
Custom Scripts for Password Requirements 57
Script for Checking a Password 57
Script for Generating a Password 58
Restricted Passwords 59
Testing a Password 60
Testing Generating a Password 60
Assigning a Password Policy 60
Initial Password for New Azure Active Directory User Accounts 62
Email Notifications about Login Data 63
Target System Managers 65
Editing a Server 67
Master Data for a Job Server 68
Specifying Server Functions 70
Azure Active Directory Core Directories 73

Azure Active Directory Tenant 73
General Master Data for a Azure Active Directory Tenant 74
Local Active Directory Data 76
Specifying Categories for Inheriting Permissions 76
How to Edit a Synchronization Project 77
Azure Active Directory Domains 77
Azure Active Directory User Accounts 79

Linking User Accounts to Employees 79
Supported User Account Types 80

4
Entering Master Data for Azure Active Directory User Accounts 84
General Master Data for a Azure Active Directory User Account 85
Contact Data for a Azure Active Directory User Account 88
Organizational Data for an Azure Active Directory User Account 88
Active Directory User Account Local Data 89
Additional Tasks for Managing Azure Active Directory User Accounts 90
Overview of Azure Active Directory User Accounts 90
Changing the Manage Level of an Azure Active Directory User Account 90
Assigning Azure Active Directory Groups Directly to Azure Active Directory User
Accounts 91
Assigning Azure Active Directory Administrator Roles directly to Azure Active
Directory User Accounts 91
Assigning Azure Active Directory Subscriptions directly to Azure Active Directory
User Accounts 92
Assigning Disabled Azure Active Directory Service Plans directly to Azure Active
Assign Extended Properties to an Azure Active Directory User Account 93
Automatic Assignment of Employees to Azure Active Directory User Accounts 94
Editing Search Criteria for Automatic Employee Assignment 96
Disabling Azure Active Directory User Accounts 99
Deleting and Restoring Azure Active Directory User Accounts 100
Azure Active Directory Groups 102

Editing Azure Active Directory Group Master Data 103
General Master Data for an Azure Active Directory Group 103
Information about Local Active Directory Groups 105
Assigning Azure Active Directory Groups to Azure Active Directory User Accounts 105
Assigning Azure Active Directory Groups to Departments, Cost Centers and
Locations 106
Assigning Azure Active Directory Groups to Business Roles 107
Assigning Azure Active Directory User Accounts directly to an Azure Active
Directory Group 108
Adding Azure Active Directory Groups to System Roles 109
Adding Azure Active Directory Groups to the IT Shop 109
Additional Tasks for Managing Azure Active Directory Groups 111
Overview of Azure Active Directory Groups 111
Adding Azure Active Directory Groups to Azure Active Directory Groups 111

5
Effectiveness of Group Memberships 112
Azure Active Directory Group Inheritance Based on Categories 114
Assigning Owners to Azure Active Directory Groups 116
Assigning Extended Properties to an Azure Active Directory Group 116
Deleting Azure Active Directory Groups 117
Azure Active Directory Administrator Roles 118

Editing Azure Active Directory Administrator Role Master Data 118
Assigning Azure Active Directory Administrator Roles to Azure Active Directory
User Accounts 120
Assigning Azure Active Directory Administration Roles to Departments, Cost
Centers and Locations 120
Assigning Azure Active Directory Administrator Roles to Business Roles 122
Assigning Azure Active Directory User Accounts directly to Azure Active
Directory Administrator Roles 123
Adding Azure Active Directory Administrator Roles to System Roles 123
Adding Azure Active Directory Administrator Roles in the IT Shop 124
Additional Tasks for Managing Azure Active Directory Administrator Roles 126
Azure Active Directory Administrator Roles Overview 126
Azure Active Directory Administrator Role Inheritance Based on Categories 126
Assigning Extended Properties to an Azure Active Directory Administrator Role 127
Azure Active Directory Subscriptions and Service Plans 128

Azure Active Directory Subscriptions 128
Editing Azure Active Directory Subscription Master Data 128
Assigning Azure Active Directory Subscriptions to Azure Active Directory User
Accounts 130
Assigning Azure Active Directory Subscriptions to Departments, Cost Centers
and Locations 131
Assigning Azure Active Directory Subscriptions to Business Roles 132
Assigning Azure Active Directory User Accounts directly to an Azure Active
Directory Subscription 133
Adding Azure Active Directory Subscriptions to System Roles 133
Adding Azure Active Directory Subscriptions to the IT Shop 134
Additional Tasks for Managing Azure Active Directory Subscriptions 136
Overview of Azure Active Directory Subscriptions 136
Effectiveness of Subscription Assignments 136
Inheriting Azure Active Directory Subscriptions based on Categories 137

6
Assigning Additional Properties to an Azure Active Directory Subscription 137
Disabled Azure Active Directory Service Plan 138
Editing Master Data of Disabled Azure Active Directory Service Plans 138
Assigning Disabled Azure Active Directory Service Plans to Azure Active
Assigning Disabled Azure Active Directory Service Plans to Departments, Cost
Centers and Locations 140
Assigning Disabled Azure Active Directory Service Plans to Business Roles 141
Assigning Azure Active Directory User Accounts directly to Azure Active
Directory Service Plans 142
Adding Disabled Azure Active Directory Service Plans to System Roles 143
Adding Disabled Azure Active Directory Service Plans to the IT Shop 144
Additional Tasks for Managing Disabled Azure Active Directory Service Plans 145
Overview of Disabled Azure Active Directory Service Plans 146
Effectiveness of Assignments of Disabled Service Plans 146
Inheritance of Disabled Azure Active Directory Service Plans Based on Categor-
ies 146
Assigning Extended Properties to a disabled Azure Active Directory Service
Plan 147
Reports about Azure Active Directory Objects 148

Overview of all Assignments 149
Appendix: Configuration Parameters for Managing Azure Active Directory 151
Appendix: Default Project Template for Azure Active Directory 154
About us 155
Contacting us 155
Technical support resources 155
Index 156

7
1
Managing Azure Active Directory

Environments
One Identity Manager offers simplified user account administration for Azure Active
Directory. One Identity Manager concentrates on setting up and editing user accounts and
providing the required permissions. To equip users with the required permissions,
subscriptions, service plans, groups and administration roles are mapped in One Identity
Manager. This makes it possible to use Identity and Access Governance processes such as
attesting, Identity Audit, user account management and system entitlements, IT Shop or
report subscriptions for Azure Active Directory tenants.
One Identity Manager provides company employees with the necessary user accounts. For
this, you can use different mechanisms to connect employees to their user accounts. You
can also manage user accounts independently of employees and therefore set up
administrator user accounts.
Additional information about the Azure Active Directory core directory like tenants and
verified domains is loaded into the One Identity Manager database by data synchronization.
There are only limited possibilities for customizing this information in the One Identity
Manager due to the complex dependencies and far reaching effects of changes.
For more detailed information about the Azure Active Directory structure, see the Azure
Active Directory documentation from Microsoft.
Architecture Overview
To access Azure Active Directory tenant data, the Azure Active Directory connector is
installed on a synchronization server. The synchronization server ensures data is
compared between the One Identity Manager database and Azure Active Directory. The
Azure Active Directory connector uses the Microsoft Graph API for accessing Azure Active
Directory data.
The Azure Active Directory connector must authenticate itself on the Azure Active Directory
tenant to access Azure Active Directory tenant data. Authentication is carried out by a One
Identity Manager application that is integrated in the Azure Active Directory tenant and
equipped with the respective access rights.

Azure Active Directory 8
Managing Azure Active Directory Environments
Figure 1: Architecture for synchronization
One Identity Manager Users for

Managing an Azure Active Directory
System
The following users are used in Azure Active Directory system administration.
Table 1: User
User Task
Target system admin- Target system administrators must be assigned to the

istrators application role Target system | Administrators.
Users with this application role:
l Administrate application roles for individual target

systems types.
l Specify the target system manager.
l Set up other application roles for target system managers
if required.
l Specify which application roles are conflicting for target
system managers

User Task
l Authorize other employee to be target system admin-

istrators.
l Do not assume any administrative tasks within the target
system.
Target system Target system managers must be assigned to the application

managers role Target systems | Azure Active Directory or a sub
application role.
l Assume administrative tasks for the target system.

l Create, change or delete target system objects, like user
accounts or groups.
l Edit password policies for the target system.
l Prepare groups for adding to the IT Shop.
l Configure synchronization in the Synchronization Editor
and defines the mapping for comparing target systems
and One Identity Manager.
l Edit the synchronization's target system types and
outstanding objects.
l Authorize other employees within their area of respons-
ibility as target system managers and create child applic-
ation roles if required.
One Identity Manager l Create customized permissions groups for application

administrators roles for role-based login to administration tools in the
Designer, as required.
l Create system users and permissions groups for non-role
based login to administration tools, as required.
l Enable or disable additional configuration parameters in
the Designer, as required.
l Create custom processes in the Designer, as required.
l Create and configures schedules, as required.
l Create and configure password policies, as required.
Administrators for the Administrators must be assigned to the application role

IT Shop Request & Fulfillment | IT Shop | Administrators.
l Assign to IT Shop structures.
Product owner for the The product owners must be assigned to the application roles

User Task
IT Shop Request & Fulfillment | IT Shop | Product owners or an

application role below that.
l Approve through requests.

l Edit service items and service categories under their
management.
Administrators for Administrators must be assigned to the application role

organizations Identity Management | Organizations | Administrators.
l Assign to departments, cost centers and locations.
Business roles admin- Administrators must be assigned to the application role

istrators Identity Management | Business roles | Administrators.
l Assign to business roles.

2
Setting Up Synchronization with an

Azure Active Directory Tenant
To load One Identity Manager tenant objects into the Azure Active Directory
database for the first time
1. Prepare a user account in the Azure Active Directory tenant with sufficient
permissions for synchronization.
2. Integrate One Identity Manager in Azure Active Directory as an application for
your tenants.
3. The One Identity Manager components for managing Azure Active Directory tenants
are available if the configuration parameter "TargetSystem\AzureADS" is set.
l Check whether the configuration parameter is set in the Designer. Otherwise,
set the configuration parameter and compile the database.
l Other configuration parameters are installed when the module is installed.
Check the configuration parameters and modify them as necessary to suit your
requirements.
4. Install and configure a synchronization server and declare the server as Job server in
One Identity Manager.
5. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic
l Users and Permissions for Synchronizing with Azure Active Directory on page 13
l Integrating One Identity Manager into Azure Active Directory as an Application
on page 14
l Setting Up the Synchronization Server on page 15
l Creating a Synchronization Project for initial Synchronization of an Azure Active
Directory Tenant on page 18
l Deactivating Synchronization on page 32
l Customizing Synchronization Configuration on page 25

Setting Up Synchronization with an Azure Active Directory Tenant
l Appendix: Configuration Parameters for Managing Azure Active Directory on
page 151
l Appendix: Default Project Template for Azure Active Directory on page 154
Users and Permissions for

Synchronizing with Azure Active
Directory
The following users are involved in synchronizing One Identity Manager with a Azure Active
Directory tenant.
Table 2: Users for Synchronization
User Permissions
User for accessing You must provide a user account with the following authorizations for
Azure Active full synchronization of Azure Active Directory tenant objects with the
Directory supplied One Identity Manager default configuration.
l Member in the organization role "Global administrator".
One Identity The user account for the One Identity Manager Service requires
Manager Service access rights to carry out operations at file level (issuing user rights,
user account adding directories and files to be edited).
The user account must belong to the group "Domain Users".
The user account must have the extended access right "Log on as a
service".
The user account requires access rights to the internal web service.
NOTE: If the One Identity Manager Service runs under the

network service (NT Authority\NetworkService), you can issue
access rights for the internal web service with the following
command line call:
netsh http add urlacl url=http://<IP address>:<port
number>/ user="NT AUTHORITY\NETWORKSERVICE"
The user account needs full access to the One Identity Manager
Service installation directory in order to automatically update the
In the default installation the One Identity Manager is installed
under:
l %ProgramFiles(x86)%\One Identity (on 32-bit operating

systems)

User Permissions
l %ProgramFiles%\One Identity (on 64-bit operating systems)
User for accessing The default system user "Synchronization" is available to run
the One Identity synchronization over an application server.
Manager database
Integrating One Identity Manager into

Azure Active Directory as an Application
To synchronize data between One Identity Manager and Azure Active Directory, you must
integrate One Identity Manager as an application in the Azure Active Directory tenants. The
Azure Active Directory connector authenticates itself in Azure Active Directory tenants
using the One Identity Manager application.
NOTE: A client ID is created when you add One Identity Manager as an application in
Azure Active Directory. You need this client ID for setting up synchronization.
For more detailed information about integrating applications into Azure Active Directory,
see the Azure Active Directory documentation from Microsoft.
To configure the One Identity Manager as an application in Azure Active

Directory
1. Log on to the Microsoft Azure Management Portal

(https://manage.windowsazure.com) and create a new application for One Identity
Manager for your directory.
The following settings are recommended.
l Select the link Add an application my organization is developing.
l Set up One Identity Manager as a "native client application".
2. Configure the following settings for the application.
l Permissions to other applications: Microsoft Graph
l Delegated Permissions:
l Sign in and read user profile
l Read and write access to user profile
l Read and write access to user profile
l Read and write all groups
l Read and write directory data
l Access directory as the signed in user
l Sign users in

Related Topics

Setting Up the Synchronization Server

To setup synchronization with an Azure Active Directory tenant, a server must be available
with the following software installed on it:
l Windows operating system

Following versions are supported:
l Windows Server 2008 (non-Itanium based 64-bit) Service Pack 2 or later
l Windows Server 2008 R2 (non-Itanium based 64-bit) Service Pack 1 or later
l Windows Server 2012
l Windows Server 2012 R2
l Windows Server 2016
l Microsoft .NET Framework Version 4.5.2 or later
NOTE: Microsoft .NET Framework version 4.6 is not supported.
NOTE: Take the target system manufacturer's recommendations into account.
l Windows Installer
l One Identity Manager Service, Azure Active Directory connector
l Install One Identity Manager components with the installation wizard.
1. Select the option Select installation modules with existing
database.
2. Select the machine role Server | Job server | Azure Active
Directory.
All One Identity Manager Service actions are executed against the target system
environment on the synchronization server. Entries which are necessary for
synchronization and administration with the One Identity Manager database are processed
by the synchronization server. The synchronization server must be declared as a Job
server in One Identity Manager.
NOTE: If several target system environments of the same type are synchronized
under the same synchronization server, it is useful to set up a job server for each
target system on performance grounds. This avoids unnecessary swapping of connec-
tion to target systems because a job server only has to process tasks of the same
type (re-use of existing connections).
Use the Server Installer to install the One Identity Manager Service. This program
executes the following steps.

l Setting up a Job server.
l Specifying machine roles and server function for the Job server.
l Remote installation of One Identity Manager Service components corresponding to
the machine roles.
l Configures the One Identity Manager Service.
l Starts the One Identity Manager Service.
NOTE: The program executes remote installation of the One Identity Manager
Service. Local installation of the service is not possible with this program. Remote
installation is only supported within a domain or a trusted domain.
To install and configure the One Identity Manager Service remotely on a server
1. Start the program Server Installer on your administrative workstation.

2. Enter valid data for connecting to One Identity Manager on the Database
connection page and click Next.
3. Specify on which server you want to install the One Identity Manager Service on the
Server properties page.
a. Select a job server in the Server menu.
- OR -
Click Add to add a new job server.
b. Enter the following data for the Job server.
Table 3: Job Servers Properties
Property Description
Server Name of the Job servers.
Queue Name of queue to handle the process steps. Each One Identity
Manager Service within the network must have a unique queue
identifier. The process steps are requested by the job queue
using exactly this queue name. The queue identifier is entered in
the One Identity Manager Service configuration file.
Full Full name of the server in DNS syntax.

server Example:
name
<name of server>.<fully qualified domain name>
NOTE: Use the Advanced option to edit other Job server properties. You
can use the Designer to change properties at a later date.
4. Specify which job server roles to include in One Identity Manager on the Machine
role page. Installation packages to be installed on the Job server are found
depending on the selected machine role.
l Azure Active Directory

5. Specify the server's functions in One Identity Manager on the Server functions
page. One Identity Manager processes are handled depending on the server function.
The server's functions depend on which machine roles you have selected. You can
limit the server's functionality further here.
Select the following server functions:
l Azure Active Directory connector (via Microsoft Graph)
Windows PowerShell
6. Check the One Identity Manager Service configuration on the Service
settings page.
NOTE: The initial service configuration is already predefined. If further changes

need to be made to the configuration, you can do this later with the Designer.
For more detailed information about configuring the service, see One Identity
Manager Configuration Guide.
7. To configure remote installations, click Next.

8. Confirm the security prompt with Yes.
9. Select the directory with the install files on the Select installation source page.
10. Select the file with the private key on the page Select private key file.
NOTE: This page is only displayed when the database is encrypted.
11. Enter the service's installation data on the Service access page.
Table 4: Installation Data
Data Description
Computer Server on which to install and start the service from.
To select a server
l Enter the server name.
- OR -
l Select a entry from the list.
Service One Identity Manager Service user account data.

account
To enter a user account for the One Identity Manager
Service
l Set the option Local system account.
This starts the One Identity Manager Service under the
account "NT AUTHORITY\SYSTEM".
- OR -
l Enter user account, password and password confirmation.

Data Description
Installation Data for the administrative user account to install the service.
account
To enter an administrative user account for installation
Enable Advanced
l .
l Enable the option Current user.
This uses the user account of the current user.
- OR -
l Enter user account, password and password confirmation.
12. Click Next to start installing the service.

Installation of the service occurs automatically and may take some time.
13. Click Finish on the last page of the Server Installer.
NOTE: The is entered with the name "One Identity Manager Service" in the
server's service administration.
Creating a Synchronization Project for

initial Synchronization of an Azure
Active Directory Tenant
Use the Synchronization Editor to configure synchronization between the One Identity
Manager database and Azure Active Directory. The following describes the steps for
initial configuration of a synchronization project. For more detailed information about
setting up synchronization, see the One Identity Manager Target System Synchronization
Reference Guide.
After the initial configuration, you can customize and configure workflows within the
synchronization project. Use the workflow wizard in the Synchronization Editor for this.
The Synchronization Editor also provides different configuration options for a
synchronization project.
Have the following information available for setting up a synchronization project.
Table 5: Information Required for Setting up a Synchronization Project
Data Explanation
Client ID Client ID created when One Identity Manager is added as the tenant's
application.

Data Explanation
Login domain Name of the domain for logging into Azure Active Directory. You can
use the base domain or your tenant's verified domain.
User account User account and password for authentication on Azure Active Directory
and password using the One Identity Manager application. Make a user account
for logging in available with sufficient permissions. For more information, see Users
and Permissions for Synchronizing with Azure Active Directory on page
13.
Key for authen- If you have registered One Identity Manager as a web application in
ticating as a your tenant, you required the key that is created.
web application
NOTE: The key is only valid for a limited period and must be
renewed when it expired.
Synchronization All One Identity Manager Service actions are executed against the
server for target system environment on the synchronization server. Entries
Azure Active which are necessary for synchronization and administration with the
Directory One Identity Manager database are processed by the synchronization
server.
The One Identity Manager Service with the Azure Active Directory
connector must be installed on the synchronization server.
The synchronization server must be declared as a Job server in One
Identity Manager. Use the following properties when you set up the Job
server.
Table 6: Additional Properties for the Job Server
Property Value
Server Azure Active Directory connector (using Microsoft

Function Graph)
Machine role Server/Job server/Azure Active Directory
For more information, see Setting Up the Synchronization Server on

page 15.
One Identity SQL Server:

Manager
l Database server
Database
Connection l Database
Data l Database user and password
l Specifies whether Windows authentication is used.
This type of authentication is not recommended. If you decide to
use it anyway, ensure that your environment supports Windows

Data Explanation
authentication.
Oracle:
l Species whether access is direct or through the Oracle client

Which connection data is required, depends on how this option is
set.
l Database server
l Oracle instance port
l Service name
l Oracle database user and password
l Data source (TNS alias name from TNSNames.ora)
Remote connec- To configure synchronization with a target system, One Identity

tion server Manager must load the data from the target system. One Identity
Manager communicates directly with target system to do this. If you do
not have direct access on the workstation on which the Synchronization
Editor is installed, because of the firewall configuration, for example,
you can set up a remote connection.
The remote connection server and the workstation must be in the same
Active Directory domain.
Remote connection server configuration:
l One Identity Manager Service is started

l RemoteConnectPlugin is installed
l Azure Active Directory connector is installed
The remote connection server must be declared as a Job server in One

Identity Manager. The Job server name is required.
TIP: The remote connection server requires the same config-

uration (with respect to the installed software) as the synchron-
ization server. Use the synchronization as remote connection
server at the same time, by simply installing the RemoteCon-
nectPlugin as well.
For more detailed information about setting up a remote connection,

see the One Identity Manager Target System Synchronization
Reference Guide.

NOTE: The following sequence describes how you configure a synchronization project
if the Synchronization Editor is both:
l In default mode
l Started from the launchpad
Additional settings can be made if the project wizard is run in expert mode or is
started directly from the Synchronization Editor. Follow the project wizard
instructions through these steps.
To set up initial synchronization project for an Azure Active Directory tenant.
1. Start the Launchpad and log on to the One Identity Manager database.
NOTE: If synchronization is executed by an application server, connect the

database through the application server.
2. Select the entry Azure Active Directory target system type. Click Run.
This starts the Synchronization Editor's project wizard.
3. Specify how the One Identity Manager can access the target system on the System
access page.
l If you have access from the workstation from which you started the
Synchronization Editor, do not set anything.
l If you do not have access from the workstation from which you started the
Synchronization Editor, you can set up a remote connection.
In this case, set the option Connect using remote connection server and
select, under Job server, the server you want to use for the connection.
4. Enter the basic data for you tenants on the Azure Active Directory tenant page.
l Enter the client ID that was created when the One Identity Manager was added
to the tenant's application in Client ID.
l Enter the base domain or one of your tenant's verified domains in Login
domain.
5. Select the type of login on the Authentication page and enter the required
login data.
a. If you have integrated One Identity Manager as a native tenant application in
your tenant, select the option Authenticate as native tenant application
and enter the user account and password for logging into the target system,
b. If you have integrated One Identity Manager as a web application in your
tenant, select the option Authenticate as web application and enter the key
that was created when One Identity Manager was added as the tenant's
application.
6. Verify the One Identity Manager database connection data on the One Identity
Manager connection page. The data is loaded from the connected database.
Reenter the password.

NOTE: Reenter all the connection data if you are not working with an encrypted
One Identity Manager database and no synchronization project has been saved
yet in the database. This page is not shown if a synchronization project already
exists.
7. The wizard loads the target system schema. This may take a few minutes depending
on the type of target system access and the size of the target system.
8. Specify how system access should work on the page Restrict target system
access. You have the following options:
Table 7: Specifying Target System Access
Option Meaning
Read-only access Specifies whether a synchronization workflow should be set

to target system. up to initially load the target system into the One Identity
Manager database.
The synchronization workflow has the following
characteristics:
l Synchronization is in the direction of "One Identity
Manager".
l Processing methods in the synchronization steps are
only defined in synchronization direction "One Identity
Manager".
Changes are also Specifies whether a provisioning workflow should be set up in

made to the target addition to the synchronization workflow to initially load the
system. target system.
The provisioning workflow displays the following
characteristics:
l Synchronization in the direction of the "target system"
l Processing methods are only defined in the synchron-
ization steps in synchronization direction "target
system".
l Synchronization steps are only created for such schema
classes whose schema types have write access.
9. Select the synchronization server to execute synchronization on the

Synchronization server page.
If the synchronization server is not declare as a job server in the One Identity
Manager database yet, you can add a new job server.
l Click to add a new job server.
l Enter a name for the job server and the full server name conforming to
DNS syntax.
l Click OK.

The synchronization server is declared as job server for the target system in
the One Identity Manager database.
NOTE: Ensure that this server is set up as the synchronization server

after saving the synchronization project.
10. Click Finish to complete the project wizard.

This creates and allocates a default schedule for regular synchronization. Enable the
schedule for regular synchronization.
The synchronization project is created, saved and enabled immediately.
NOTE: If the synchronization project is not going to be executed immediately,

disable the option Activate and save the new synchronization project
automatically.
In this case, save the synchronization project manually before closing the
Synchronization Editor.
NOTE: The target system connection data is saved in a variable set, which you
can change in the Synchronization Editor under Configuration | Variables if
necessary.
To configure the content of the synchronization log
1. To configure the synchronization log for target system connection, select the
category Configuration | Target system.
2. To configure the synchronization log for the database connection, select the category
Configuration | One Identity Manager connection.
3. Select General view and click Configure....
4. Select the Synchronization log view and set Create synchronization log.
5. Enable the data to be logged.
NOTE: Certain content create a lot of log data.

The synchronization log should only contain the data necessary for error
analysis and other evaluations.
6. Click OK.
To synchronize on a regular basis
1. Select the category Configuration | Start up configurations.

2. Select a start up configuration in the document view and click Edit schedule....
3. Edit the schedule properties.
4. To enable the schedule, click Activate.
5. Click OK.

To start initial synchronization manually
1. Select the category Configuration | Start up configurations.

2. Select a start up configuration in the document view and click Execute.
NOTE: Following synchronization, employees are automatically created for user

accounts in the default installation. If there are no account definitions for the tenant
at the time of synchronization, user accounts are linked to employees. However,
account definitions are not assigned. The user accounts are, therefore, in a "Linked"
state.
To select user accounts through account definitions
1. Create an account definition.

2. Assign an account definition to the tenant.
3. Assign the account definition and manage level to the user accounts in a
"linked" state.
a. Select the category Azure Active Directory | User accounts |
Linked but not configured | <client>.
b. Select the task Assign account definition to linked accounts.
Related Topics
l Integrating One Identity Manager into Azure Active Directory as an Application

on page 14
l Setting Up the Synchronization Server on page 15
l Users and Permissions for Synchronizing with Azure Active Directory on page 13
l Show Synchronization Results on page 24
l Appendix: Default Project Template for Azure Active Directory on page 154
l Setting Up Account Definitions on page 35
l Automatic Assignment of Employees to Azure Active Directory User Accounts
on page 94
Show Synchronization Results

Synchronization results are summarized in the synchronization log. You can specify the
extent of the synchronization log for each system connection individually. One Identity
Manager provides several reports in which the synchronization results are organized under
different criteria.

To display a synchronization log
1. Open the synchronization project in the Synchronization Editor.

2. Select the category Logs.
3. Click in the navigation view toolbar.
Logs for all completed synchronization runs are displayed in the navigation view.
4. Select a log by double-clicking on it.
An analysis of the synchronization is shown as a report. You can save the report.
To display a provisioning log.

2. Select the category Logs.
3. Click in the navigation view toolbar.
Logs for all completed provisioning processes are displayed in the navigation view.
4. Select a log by double-clicking on it.
An analysis of the provisioning is show as a report. You can save the report.
The log is marked in color in the navigation view. This mark shows you the execution status
of the synchronization/provisioning.
Synchronization logs are stored for a fixed length of time. The retention period is set in the
configuration parameter "DPR\Journal\LifeTime" and its sub parameters.
To modify the retention period for synchronization logs
l Set the configuration parameter "Common\Journal\LifeTime" in the Designer and

enter the maximum retention time for entries in the database journal. Use the
configuration sub parameters to specify the retention period for each warning level.
l If there is a large amount of data, you can specify the number of objects to delete
per DBQueue Processor operation and run in order to improve performance. Use the
configuration parameters "Common\Journal\Delete\BulkCount" and
"Common\Journal\Delete\TotalCount" to do this.
l Configure and set the schedule "Delete journal" in the Designer.
Customizing Synchronization
Configuration
You have used the Synchronization Editor to set up a synchronization project for initial
synchronization of an Azure Active Directory tenant. You can use this synchronization
project to load Azure Active Directory objects into the One Identity Manager database. If
you manage user accounts and their authorizations with One Identity Manager, changes are
provisioned in the Azure Active Directory environment.

You must customize the synchronization configuration in order to compare the Azure Active
Directory database with the regularly and to synchronize changes.
l Create a workflow with the direction of synchronization "target system" to use One
Identity Manager as the master system for synchronization.
l You can use variables to create generally applicable synchronization configurations
which contain the necessary information about the synchronization objects when
synchronization starts. Variables can be implemented in base objects, schema
classes or processing methods, for example.
l Use variables to set up a synchronization project which can be used for
several different domains. Store a connection parameter as a variable for
logging in to the domain.
l To specify which Azure Active Directory objects and database object are included in
synchronization, edit the scope of the target system connection and the One Identity
Manager database connection. To prevent data inconsistencies, define the same
scope in both systems. If no scope is defined, all objects will be synchronized.
l Update the schema in the synchronization project, if the One Identity Manager
schema or target system schema has changed. Then you can add the changes to
the mapping.
IMPORTANT: As long as synchronization is running, you must not start another

synchronization for the same target system. This applies especially, if the same
synchronization objects would be processed.
l The moment another synchronization is started with the same start up config-
uration, the running synchronization process is stopped and given the status,
"Frozen". An error message is written to the One Identity Manager Service log
file.
l If another synchronization is started with another start up configuration, that
addresses same target system, it may lead to synchronization error or loss of
data. Plan your start times carefully. If possible, specify your start times so
that synchronization does not overlap.
For more detailed information about configuring synchronization, see the One Identity
Manager Target System Synchronization Reference Guide.
l Configuring Synchronization with Azure Active Directory Tenants on page 27

l Configuring Synchronization of Different Azure Active Directory Tenants on page 27
l Updating Schemas on page 28

Configuring Synchronization with Azure
Active Directory Tenants
The synchronization project for initial synchronization provides a workflow for initial
loading of target system objects (initial synchronization) and one for provisioning object
modifications from the One Identity Manager database to the target system (provisioning).
You also require a workflow with synchronization in the direction of the "target system" to
use One Identity Manager as the master system for synchronization.
To create a synchronization configuration for synchronizing in Azure Active

Directory tenants

2. Check whether existing mappings can be used for synchronizing the target system.
Create new maps if required.
3. Create a new workflow with the workflow wizard.
This adds a workflow for synchronizing in the direction of the target system.
4. Create a new start up configuration. Use the new workflow to do this.
5. Save the changes.
6. Run a consistency check.
Related Topics
l Configuring Synchronization of Different Azure Active Directory Tenants on page 27
Configuring Synchronization of Different

Azure Active Directory Tenants
To customize a synchronization project for synchronizing another tenant
1. Prepare a user account with sufficient permissions for synchronizing in the

other tenant.
3. Create a new base object for the other tenants. Use the wizards to attach a
base object.
l Select the Azure Active Directory connector in the wizard and enter the
connection parameters. The connection parameters are saved in a special
variable set.
A start up configuration is created, which uses the new variable set.
4. Change other elements of the synchronization configuration as required.

6. Run a consistency check.
Related Topics
l Configuring Synchronization with Azure Active Directory Tenants on page 27
Updating Schemas
All the schema data (schema types and schema properties) of the target system schema
and the One Identity Manager schema are available when you are editing a
synchronization project. Only a part of this data is really needed for configuring
synchronization. If a synchronization project is finished, the schema is compressed to
remove unnecessary data from the synchronization project. This can speed up loading the
synchronization project. Deleted schema data can be added to the synchronization
configuration again at a later point.
If the target system schema or the One Identity Manager schema has changed, these
changes must also be added to the synchronization configuration. Then the changes can be
added to the schema property mapping.
To include schema data that have been deleted through compressing and schema
modifications in the synchronization project, update each schema in the synchronization
project. This may be necessary if:
l A schema was changed by:

l Changes to a target system schema
l Customizations to the One Identity Manager schema
l A One Identity Manager update migration
l A schema in the synchronization project was shrunk by:
l Activating the synchronization project
l Synchronization project initial save
l Compressing a schema
To update a system connection schema

2. Select the category Configuration | Target system.
- OR -
Select the category
Configuration | One Identity Manager connection.
3. Select the view General and click Update schema.
This reloads the schema data.

To edit a mapping

2. Select the category Mappings.
3. Select a mapping in the navigation view.
Opens the Mapping Editor. For more detailed information about editing mappings,
see One Identity Manager Target System Synchronization Reference Guide.
NOTE: The synchronization is deactivated if the schema of an activated synchron-

ization project is updated. Reactivate the synchronization project to synchronize.
Post-Processing Outstanding Objects

Objects, which do not exist in the target system, can be marked as outstanding in One
Identity Manager by synchronizing. This prevents objects being deleted because of an
incorrect data situation or an incorrect synchronization configuration.
Objects marked as outstanding:
l Cannot be edited in One Identity Manager.

l Are ignored by subsequent synchronization.
l Must be post-processed separately in One Identity Manager.
Start target system synchronization to do this.
To post-process outstanding objects
1. Select the category Azure Active Directory | Target system synchronization:

Azure Active Directory.
All tables assigned to the target system type Azure Active Directory as
synchronization tables are displayed in the navigation view.
1. Select the table whose outstanding objects you want to edit in the navigation view.
This opens the target system synchronization form. All objects are shown here that
are marked as outstanding.
TIP:
To display object properties of an outstanding object

a. Select the object on the target system synchronization form.
b. Open the context menu and click Show object.

2. Select the objects you want to rework. Multi-select is possible.
3. Click one of the following icons in the form toolbar to execute the respective method.
Table 8: Methods for handling outstanding objects
Icon Method Description
Delete The object is immediately deleted in the One Identity Manager.

Deferred deletion is not taken into account. The "outstanding"
label is removed from the object.
Indirect memberships cannot be deleted.
Publish The object is added in the target system. The "outstanding" label
is removed from the object.
The method triggers the event "HandleOutstanding". This runs a
target system specific process that triggers the provisioning
process for the object.
Prerequisites:
l The table containing the object can be published.
l The target system connector has write access to the target
system.
Reset The "outstanding" label is removed from the object.
NOTE: By default, the selected objects are processed in parallel, which speeds up
execution of the selected method. If an error occurs during processing, the action is
stopped and all changes are discarded.
Bulk processing of objects must be disabled if errors are to be localized, which means
the objects are processed sequentially. Failed objects are named in the error
message. All changes that were made up until the error occurred are saved.
To disable bulk processing
l Deactivate in the form toolbar.
You must customize synchronization to synchronize custom tables.
To add custom tables to the target system synchronization.
1. Select the category Azure Active Directory | Basic configuration data |

Target system types.
2. Select the target system type Azure Active Directory in the result list.
3. Select Assign synchronization tables in the task view.
4. Assign custom tables whose outstanding objects you want to handle in Add
assignments.

6. Select Configure tables for publishing.
7. Select custom tables whose outstanding objects can be published in the target
system and set the option Publishable.
NOTE: The target system connector must have write access to the target system in
order to publish outstanding objects that are being post-processed. That means, the
option Connection is read only must no be set for the target system connection.
Configuring Memberships Provisioning

Memberships, for example, user accounts in groups, are saved in assignment tables in the
One Identity Manager database. During provisioning of modified memberships, changes
made in the target system will probably be overwritten. This behavior can occur under the
following conditions:
l Memberships are saved in the target system as an object property in list form
(Example: List of users accounts in the property Members of an Azure Active
Directory group).
l Memberships can be modified in either of the connected systems.
l A provisioning workflow and provisioning processes are set up.
If a membership in One Identity Manager changes, the complete list of members is

transferred to the target system by default. Memberships, previously added to the target
system are removed by this; previously deleted memberships are added again.
To prevent this, provisioning can be configured such that only the modified membership is
provisioned in the target system. The corresponding behavior is configured separately for
each assignment table.
To allow separate provisioning of memberships
1. Start the Manager.

Target system types.
3. Select Configure tables for publishing.
4. Select the assignment tables for which you want to allow separate provisioning.
Multi-select is possible.
l The option can only be set for assignment tables whose base table has a
column XDateSubItem.
l Assignment tables, which are grouped together in a virtual schema property in
the mapping, must be labeled identically (for example AADUserInGroup and
AADGroupInGroup).

5. Click Enable merging.
For each assignment table labeled like this, the changes made in the One Identity Manager
are saved in a separate table. During modification provisioning, the members list in the
target system is compared to the entries in this table. This means that only modified
memberships are provisioned and the members list does not get entirely overwritten.
NOTE: The complete members list is updated by synchronization. During this process,
objects with changes but incomplete provisioning are not handled. These objects are
logged in the synchronization log.
For more detailed information about provisioning memberships, see the One Identity
Manager Target System Synchronization Reference Guide.
Help for Analyzing Synchronization

Issues
You can generate a report for analyzing problems which occur during synchronization, for
example, insufficient performance. The report contains information such as:
l Consistency check results

l Revision filter settings
l Scope applied
l Analysis of the synchronization buffer
l Object access times in the One Identity Manager database and in the target system
To generate a synchronization analysis report

2. Select the menu Help | Generate synchronization analysis report and answer
the security prompt with Yes.
The report may take a few minutes to generate. It is displayed in a separate window.
3. Print the report or save it in one of the available output formats.
Deactivating Synchronization
Regular synchronization cannot be started until the synchronization project and the
schedule are active.

To prevent regular synchronization
l Select the start up configuration and deactivate the configured schedule.

Now you can only start synchronization manually.
An activated synchronization project can only be edited to a limited extend. The schema in
the synchronization project must be updated if schema modifications are required. The
synchronization project is deactivated in this case and can be edited again.
Furthermore, the synchronization project must be deactivated if synchronization should not
be started by any means (not even manually).
To deactivate the loaded synchronization project
1. Select General on the start page.

2. Click Deactivate project.
Related Topics


3
Base Data for Managing Azure

Active Directory
To manage an Azure Active Directory environment in One Identity Manager, the following
data is relevant.
l Configuration parameter
Use configuration parameters to configure the behavior of the system's basic
settings. One Identity Manager provides default settings for different configuration
parameters. Check the configuration parameters and modify them as necessary to
suit your requirements.
Configuration parameters are defined in the One Identity Manager modules. Each
One Identity Manager module can also install configuration parameters. You can find
an overview of all configuration parameters in the category Base data | General |
Configuration parameters in the Designer.
For more information, see Appendix: Configuration Parameters for Managing Azure
Active Directory on page 151.
l Account definitions
One Identity Manager has account definitions for automatically allocating user
accounts to employees during working hours. You can create account definitions for
every target system. If an employee does not have a user account in the target
system, a new user account is created. This is done by assigning account
definitions to an employee using the integrated inheritance mechanism followed by
process handling.
For more information, see Setting Up Account Definitions on page 35.
l Password policies
One Identity Manager provides you with support for creating complex password
policies, for example, for system user passwords, the employees' central password
as well as passwords for individual target systems. Password polices apply not only
when the user enters a password but also when random passwords are generated.
Predefined password policies are supplied with the default installation that you can
user or customize if required. You can also define your own password policies.
For more information, see Password Policies on page 53.

Base Data for Managing Azure Active Directory
l Initial Password for New User Accounts
You have the different options for issuing an initial password for user accounts. The
central password of the assigned employee can be aligned with the user account
password, a predefined, fixed password can be used or a randomly generated initial
password can be issued.
For more information, see Initial Password for New Azure Active Directory User
Accounts on page 62.
l Email notifications about login data
When a new user account is created, the login data are send to a specified recipient.
In this case, two messages are sent with the user name and the initial password. Mail
templates are used to generate the messages.
For more information, see Email Notifications about Login Data on page 63.
l Target System Types
Target system types are required for configuring target system comparisons. Tables
containing outstanding objects are maintained on target system types.
For more information, see Post-Processing Outstanding Objects on page 29.
l Target System Managers
A default application role exists for the target system manager in the One Identity
Manager. Assign this application to employees who are authorized to edit the tenants
in One Identity Manager.
Define other application roles, if you want to limit target system managers' access
permissions to individual tenants. The application roles must be added under the
default application role.
For more information, see Target System Managers on page 65.
l Server
Servers must know your server functionality in order to handle Azure Active
Directory specific processes in One Identity Manager. For example, the
synchronization server.
For more information, see Editing a Server on page 67.
Setting Up Account Definitions

One Identity Manager has account definitions for automatically allocating user accounts to
employees during working hours. You can create account definitions for every target
system. If an employee does not have a user account in the target system, a new user
account is created. This is done by assigning account definitions to an employee using the
integrated inheritance mechanism followed by process handling.
The data for the user accounts in the respective target system comes from the basic
employee data. The assignment of the IT operating data to the employee’s user account is
controlled through the primary assignment of the employee to a location, a department, a

cost center, or a business role (template processing). Processing is done through
templates. There are predefined templates for determining the data required for user
accounts included in the default installation. You can customize templates as required.
For more details about the basics, see the One Identity Manager Target System Base
Module Administration Guide.
The following steps are required to implement an account definition:
l Creating an Account Definition

l Setting Up Manage Levels
l Creating a Formatting Rule for IT Operating Data
l Determining IT Operating Data
l Assigning Account Definitions to Employees
l Assigning Account Definitions to a Target System
Creating an Account Definition

To create a new account definition

Account definitions | Account definitions.
2. Select an account definition in the result list. Select Change master data in
the task view.
- OR -
Click in the result list toolbar.
3. Enter the account definition's master data.
l Master Data for an Account Definition on page 36
Master Data for an Account Definition

Enter the following data for an account definition:
Table 9: Master Data for an Account Definition
Account Account definition name.

definition

User Table in the One Identity Manager schema which maps user accounts.
account
table
Target Target system to which the account definition applies.
System
Required Required account definitions. Define the dependencies between account

account definitions. When this account definition is requested or assigned, the
definition required account definition is automatically requested or assigned with it.
Leave empty for Azure Active Directory tenants.
Description Spare text box for additional explanation.
Manage Manage level to use by default when you add new user accounts.
level
(initial)
Risk index Value for evaluating the risk of account definition assignments to
employees. Enter a value between 0 and 1. This property is only visible
when the configuration parameter QER\CalculateRiskIndex is set.
For more detailed information, see the .One Identity Manager Risk
Assessment Administration Guide
Service item Service item through which you can request the account definition in the IT
Shop. Assign an existing service item or add a new one.
IT Shop Specifies whether the account definition can be requested through the IT
Shop. The account definition can be ordered by an employee over the Web
Portal and distributed using a defined approval process. The account
definition can still be directly assigned to employees and roles outside the
IT Shop.
Only for use Specifies whether the account definition can only be requested through the
in IT Shop IT Shop. The account definition can be ordered by an employee over the
Web Portal and distributed using a defined approval process. This means,
the account definition cannot be directly assigned to roles outside the IT
Shop.
Automatic Specifies whether the account definition is assigned automatically to all

assignment internal employees. The account definition is assigned to every employee
to not marked as external, on saving. New employees automatically obtain
employees this account definition as soon as they are added.
IMPORTANT: Only set this option if you can ensure that all current
internal employees in the database and all pending newly added
internal employees obtain a user account in this target system.
Disable this option to remove automatic assignment of the account

definition to all employees. The account definition cannot be reassigned to

employees from this point on. Existing account definition assignments
remain intact.
Retain Specifies the account definition assignment to permanently disabled

account employees.
definition if
Option set: the account definition assignment remains in effect. The user
permanently
account stays the same.
disabled
Option not set: the account definition assignment is not in effect.The
associated user account is deleted.
Retain Specifies the account definition assignment to temporarily disabled

account employees.
definition if
temporarily
disabled
Retain Specifies the account definition assignment on deferred deletion of

account employees.
definition on
deferred
deletion
Retain Specifies the account definition assignment to employees posing a security

account risk .
definition on
security risk
Resource Resource type for grouping account definitions.

type
Spare field Additional company specific information. Use the Designer to customize
01 - spare display names, formats and templates for the input fields.
field 10
Setting Up Manage Levels

Specify the manage level for an account definition for managing user accounts. The user
account’s manage level specifies the extent of the employee’s properties that are inherited
by the user account. This allows an employee to have several user accounts in one target
system, for example:

l Default user account that inherits all properties from the employee
l Administrative user account that is associated to an employee but should not inherit
the properties from the employee.
The One Identity Manager supplies a default configuration for manage levels:
l Unmanaged
User accounts with a manage level of "Unmanaged" become linked to an employee
but do not inherit any other properties. When a new user account is added with this
manage level and an employee is assigned, some of the employee's properties are
transferred initially. If the employee properties are changed at a later date, the
changes are not passed onto the user account.
l Full managed
User accounts with a manage level of "Full managed" inherit specific properties from
the assigned employee.
NOTE: The manage levels "Full managed" and "Unmanaged" are evaluated in the
templates. You can customize the supplied templates in the Designer.
You can define other manage levels depending on your requirements. You need to
amend the templates to include manage level approaches.
Specify the effect of temporarily or permanently disabling, deleting or the security risk of
an employee on its user accounts and group memberships for each manage level. For more
detailed information about manage levels, see the One Identity Manager Target System
Base Module Administration Guide.
l Employee user accounts can be locked when they are disabled, deleted or rated as a
security risk so that permissions are immediately withdrawn. If the employee is
reinstated at a later date, the user accounts are also reactivated.
l You can also define group membership inheritance. Inheritance can be discontinued
if desired when, for example, the employee’s user accounts are disabled and
therefore cannot be members in groups. During this time, no inheritance processes
should be calculated for this employee. Existing group memberships are deleted!
To assign manage levels to an account definition

2. Select an account definition in the result list.
3. Select Assign manage level in the task view.
4. Assign manage levels in Add assignments.
- OR -
Remove assignments to manage levels in Remove assignments.
IMPORTANT: The manage level "Unmanaged" is assigned automatically when an

account definition is assigned and cannot be removed.

To edit a manage level

Account definitions | Manage levels.
2. Select the manage level in the result list. Select Change master data.
- OR -
3. Edit the manage level's master data.
Related Topics
l Master Data for a Manage Level on page 40
Master Data for a Manage Level

Enter the following data for a manage level.
Table 10: Master Data for a Manage Level
Manage level Name of the manage level.
IT operating data Specifies whether user account data formatted from IT

overwrites operating data is automatically updated. Permitted values are:
Never Data is not updated

always Data is always updated
Only initially Data is only initially determined.
Retain groups if Specifies whether user accounts of temporarily disabled

temporarily disabled employees retain their group memberships.
Lock user accounts if Specifies whether user accounts of temporarily disabled

temporarily disabled employees are locked.
Retain groups if Specifies whether user accounts of permanently disabled

permanently disabled employees retain group memberships.
Lock user accounts if Specifies whether user accounts of permanently disabled

permanently disabled employees are locked.
Retain groups on Specifies whether user accounts of employees marked for

deferred deletion deletion retain their group memberships.

Lock user accounts if Specifies whether user accounts of employees marked for
deletion is deferred deletion are locked.
Retain groups on Specifies whether user accounts of employees posing a security

security risk risk retain their group memberships.
Lock user accounts if Specifies whether user accounts of employees posing a security
security is at risk risk are locked.
Retain groups if user Specifies whether locked user accounts retain their group
account disabled memberships.
Creating a Formatting Rule for IT

Operating Data
An account definition specifies which rules are used to form the IT operating data and
which default values will be used if no IT operating data can be found through the
employee's primary roles.
The following IT operating data is used in the One Identity Manager default
configuration for automatic creating and modifying of user accounts for an employee in
the target system.
l Groups can be inherited

l Identity
l Privileged user account
l Change password the next time you log in
To create a mapping rule for IT operating data

3. Select Edit IT operating data mapping in the task view and enter the
following data.
Table 11: Mapping rule for IT operating data
Column User account property for which the value is set.
Source Specifies which roles to use in order to find the user account properties.
You have the following options:

l Primary department
l Primary location
l Primary cost center
l Primary business roles
NOTE: Only use the primary business role if the Business Ro-
les Module is installed.
l Empty
If you select a role, you must specify a default value and set the
option Always use default value.
Default Default value of the property for an employee's user account if the
value value is not determined dynamically from the IT operating data.
Always Specifies whether user account properties are always filled with the
use default value. IT operating data is not determined dynamically from a
default role.
value
Notify Specifies whether email notification to a defined mailbox is sent when

when the default value is used. Use the mail template "Employee - new user
applying account with default properties created". To change the mail template,
the modify the configuration parameter
standard "TargetSystem\AzureAD\Accounts\MailTemplateDefaultValues" .
Related Topics
l Determining IT Operating Data on page 42
Determining IT Operating Data

In order for an employee to create user accounts with the manage level "Full managed",
the necessary IT operating data must be determined. The operating data required to
automatically supply an employee with IT resources is shown in the departments,
locations, cost centers, and business roles. An employee is assigned to one primary
location, one primary department, one primary cost center or one primary business role.
The necessary IT operating data is ascertained from these assignments and used in
creating the user accounts. Default values are used if valid IT operating data cannot be
found over the primary roles.
You can also specify IT operating data directly for a specific account definition.
Example:

Normally, each employee in department A obtains a default user account in the tenant
A. In addition, certain employees in department A obtain administrative user accounts in
the tenant A.
Create an account definition A for the default user account of the tenant A and an account
definition B for the administrative user account of tenant A. Specify the property
"Department" in the IT operating data formatting rule for the account definitions A and B in
order to determine the valid IT operating data.
Specify the effective IT operating data of department A for the tenant A. This IT operating
data is used for standard user accounts. In addition, specify the effective account
definition B IT operating data for department A. This IT operating data is used for
administrative user accounts.
To specify IT operating data
1. Select the role in the category Organizations or Business roles.

2. Select Edit IT operating data in the task view and enter the following data.
Table 12: IT Operating Data
Organization/Business Department, cost center, location or business role for

role which the IT operating data is valid.
Effects on IT operating data application scope. The IT operating data

can be used for a target system or a defined account defin-
ition.
To specify an application scope

a. Click next to the text box.
b. Select the table under Table, which maps the target
system or the table TSBAccountDef for an account
definition.
c. Select the concrete target system or concrete
account definition under Effects on.
d. Click OK.
Column User account property for which the value is set.

Columns using the script template TSB_ITDataFromOrg in
their template are listed. For more detailed information,
see the One Identity Manager Target System Base Module
Administration Guide.
Value Concrete value which is assigned to the user account

property.

Related Topics
l Creating a Formatting Rule for IT Operating Data on page 41
Modifying IT Operating Data

If IT operating data changes, you must transfer these changes to the existing user
accounts. To do this, templates must be rerun on the affected columns. Before you can run
the templates, you can check what the effect of a change to the IT operating data has on
the existing user accounts. You can decide whether the change is transferred to the
database in the case of each affected column in each affected database.
Prerequisites
l The IT operating data of a department, cost center business roleor a location

was changed.
- OR -
l The default values in the IT operating data template were modified for an account
definition.
NOTE: If the assignment of an employee to a primary department, cost center,

business role or to a primary location changes, the templates are automatically
executed.
To execute the template

3. Select Execute templates in the task view
This displays a list of all user account, which are created through the selected
account definition and whose properties are changed by modifying the IT
operating data.
Old value Current value of the object property.

New Value applied to the object property after modifying the IT operating
value data.
Selection Specifies whether the modification is applied to the user account.
4. Mark all the object properties in the selection column that will be given the
new value.
5. Click Apply.
The templates are applied to all selected user accounts and properties.

Assigning Account Definitions to Employees
Account definitions are assigned to company employees. Indirect assignment is the default
method for assigning account definitions to employees. Account definitions are assigned to
departments, cost centers, locations or roles. The employees are categorized into these
departments, cost centers, locations or roles depending on their function in the company
and thus obtain their account definitions. To react quickly to special requests, you can
assign individual account definitions directly to employees. You can automatically assign
special account definitions to all company employees. It is possible to assign account
definitions to the IT Shop as requestable products. A department manager can then request
user accounts from the Web Portal for his staff. It is also possible to add account definitions
to system roles. These system roles can be assigned to employees through hierarchical
roles or directly or added as products in the IT Shop.
In the One Identity Manager default installation, the processes are checked at the start to
see if the employee already has a user account in the target system that has an account
definition. If no user account exists, a new user account is created with the account
definition’s default manage level.
NOTE: If a user account already exists and is disabled, then it is re-enabled. You
have to alter the user account manage level afterwards in this case.
Prerequisites for indirect assignment of account definitions to

employees
l Assignment of employees and account definitions is permitted for role classes

(department, cost center, location or business role).
For detailed information about preparing role classes to be assigned, see the One Identity
Manager Identity Management Base Module Administration Guide.
l Assigning Account Definitions to Departments, Cost Centers and Locations on page 46

l Assigning Account Definitions to Business Roles on page 46
l Assigning Account Definitions to all Employees on page 47
l Assigning Account Definitions Directly to Employees on page 48
l Assigning Account Definitions to System Roles on page 48
l Adding Account Definitions in the IT Shop on page 49

Assigning Account Definitions to Departments,
Cost Centers and Locations
To add account definitions to hierarchical roles

3. Select Assign organizations.
4. Assign organizations in Add assignments.
l Assign departments on the Departments tab.
l Assign locations on the Locations tab.
l Assign cost centers on the Cost center tab.
- OR -
Remove the organizations from Remove assignments.
Related Topics

Assigning Account Definitions to Business Roles
Installed Modules: Business Roles Module
To add account definitions to hierarchical roles

3. Select Assign business roles in the task view.
4. Assign business roles in Add assignments.
- OR -
Remove business roles in Remove assignments.

Related Topics

Assigning Account Definitions to all Employees

To assign an account definition to all employees

3. Select Change master data in the task view.
4. Set the option Automatic assignment to employees on the General tab.
IMPORTANT: Only set this option if you can ensure that all current internal
employees in the database and all pending newly added internal employees
obtain a user account in this target system.
The account definition is assigned to every employee that is not marked as external. New
employees automatically obtain this account definition as soon as they are added. The
assignment is calculated by the DBQueue Processor.
NOTE: Disable the option Automatic assignment to employees to remove

automatic assignment of the account definition to all employees. The account defin-
ition cannot be reassigned to employees from this point on. Existing assignments
remain intact.
Related Topics


Assigning Account Definitions Directly to
Employees
To assign an account definition directly to employees

3. Select Assign to employees in the task view.
4. Assign employees in Add assignments.
- OR -
Remove employees from Remove assignments.
Related Topics

Assigning Account Definitions to System Roles
Installed Modules: System Roles Module
NOTE: Account definitions with the option Only use in IT Shop can only by assigned
to system roles that also have this option set.
To add account definitions to a system role

3. Select Assign system roles in the task view.
4. Assign system roles in Add assignments.
- OR -
Remove assignments to system roles in Remove assignments.

Related Topics

Adding Account Definitions in the IT Shop

A account definition can be requested by shop customers when it is assigned to an IT Shop
shelf. To ensure it can be requested, further prerequisites need to be guaranteed.
l The account definition must be labeled with the IT Shop option.

l The account definition must be assigned to a service item.
l If the account definition is only assigned to employees using IT Shop assignments,
you must also set the option Only for use in IT Shop. Direct assignment to
hierarchical roles may not be possible.
NOTE: IT Shop administrators can assign account definitions to IT Shop shelves if

login is role-based. Target system administrators are not authorized to add account
definitions in the IT Shop.
To add an account definition to the IT Shop

Account definitions (non role-based login).
- OR -
Select the category Entitlements | Account definitions (role-based login).
3. Select Add to IT Shop in the task view.
4. Assign the account definition to the IT Shop shelf in Add assignments
To remove an account definition from individual IT Shop shelves

- OR -

4. Remove the account definition from the IT Shop shelves in Remove assignments.
To remove an account definition from all IT Shop shelves

- OR -
3. Select Remove from all shelves (IT Shop) in the task view.
5. Click OK.
The account definition is removed from all shelves by the One Identity Manager
Service. All requests and assignment requests with this account definition are
canceled in the process.
For more detailed information about request from company resources through the IT Shop,
see the One Identity Manager IT Shop Administration Guide.
Related Topics
l Master Data for an Account Definition on page 36

Assigning Account Definitions to a Target

System
The following prerequisites must be fulfilled if you implement automatic assignment of
user accounts and employees resulting in administered user accounts (state "Linked
configured"):
l The account definition is assigned to the target system.

l The account definition has the default manage level.
User accounts are only linked to the employee (state "Linked") if no account definition is
given. This is the case on initial synchronization, for example.

To assign the account definition to a target system
1. Select the tenant in the category Azure Active Directory | Tenants.

3. Select the account definition for user accounts from Account definition (initial).

on page 94
Deleting an Account Definition

You can delete account definitions if they are not assigned to target systems, employees,
hierarchical roles or any other account definitions.
NOTE: If an account definition is deleted, the user accounts arising from this account
definition are deleted.
To delete an account definition
1. Remove automatic assignments of the account definition from all employees.

a. Select the category Azure Active Directory | Basic configuration data |
b. Select an account definition in the result list.
c. Select Change master data in the task view.
d. Disable the option Automatic assignment to employees on the General tab.
e. Save the changes.
2. Remove direct assignments of the account definition to employees.
c. Select Assign to employees in the task view.
d. Remove employees from Remove assignments.
3. Remove the account definition's assignments to departments, cost centers and
locations.

c. Select Assign organizations.
d. Remove the account definition's assignments to departments, cost centers and
locations in Remove assignments.
4. Remove the account definition's assignments to business roles.
c. Select Assign business roles in the task view.
Remove business roles from Remove assignments.
d. Save the changes.
5. If the account definition was requested through the IT Shop, it must be canceled and
removed from all IT Shop shelves. For more detailed information, see the .One
Identity Manager IT Shop Administration Guide
6. Remove the account definition assignment as required account definition for another
account definition. As long as the account definition is required for another account
definition, it cannot be deleted. Check all the account definitions.
d. Remove the account definition from the Required account definition menu.
7. Remove the account definition's assignments to target systems.
a. Select the tenant in the category Azure Active Directory | Tenants.
b. Select Change master data in the task view.
c. Remove the assigned account definitions on the General tab.
d. Save the changes.
8. Delete the account definition.
c. Click , to delete the account definition.

Password Policies
One Identity Manager provides you with support for creating complex password policies,
for example, for system user passwords, the employees' central password as well as
passwords for individual target systems. Password polices apply not only when the user
enters a password but also when random passwords are generated.
Predefined password policies are supplied with the default installation that you can user or
customize if required. You can also define your own password policies.
l Predefined Password Policies on page 53

l Editing Password Policies on page 54
l Custom Scripts for Password Requirements on page 57
l Restricted Passwords on page 59
l Testing a Password on page 60
l Testing Generating a Password on page 60
l Assigning a Password Policy on page 60
Predefined Password Policies

You can customize predefined password policies to meet your own requirements, if
necessary.
Password for logging into One Identity Manager
The password policy "One Identity Manager password policy" is used for logging into One
Identity Manager. This password policy defined the settings for the system user passwords
(DialogUser.Password and Person.DialogUserPassword) as well as the access code for a one
off log in on the Web Portal (Person.Passcode).
The password policy "One Identity Manager password policy" is also labeled as the default
and is used when no other password policy is found.
Password policy for forming employees' central passwords
An employee's central password is formed from the target system specific user accounts
by respective configuration. The password policy "Employee central password policy"
defines the settings for the central password (Person.CentralPassword).
IMPORTANT: Ensure that the password policy "Employee central password policy"
does not violate the target system specific password requirements.

Password policies for target systems
A predefined password that you can apply to the user account password columns, is
provided for every target system.
NOTE: When you update One Identity Manager version 7.x to One Identity Manager
version 8.0, the configuration parameter settings for forming passwords are passed
on to the target system specific password policies.
IMPORTANT: If you are not working with target system specific password policies,
the default policy applies. In this case, ensure that the password policy "One Identity
Manager password policy" does not violate the target system requirements.
The password policy "Azure Active Directory password policy" is predefined for Azure
Active Directory. You can apply this password policy to Azure Active Directory user
accounts (AADUser.Password) of an Azure Active Directory tenant.
If the tenants' password requirements differ, it is recommended that you set up your own
password policies for each tenant.
Editing Password Policies

To edit a password policy
1. Select the category Manager | Basic configuration data | Password policies

in the Azure Active Directory.
2. Select the password policy in the result list and select Change master data in
the task view.
- OR -
3. Edit the password policy's master data.
l General Master Data for a Password Policy on page 54

l Policy Settings on page 55
l Character Sets for Passwords on page 56
l Custom Scripts for Password Requirements on page 57
General Master Data for a Password Policy

Enter the following master data for a password policy.

Table 13: Master Data for a Password Policy
Property Meaning
Display name Password policy name. Translate the given text using the
button.
Description Spare text box for additional explanation. Translate the given
text using the button.
Error Message Custom error message outputted if the policy is not fulfilled.
Translate the given text using the button.
Owner (Application Role) Application roles whose members can configure the password
policies.
Default policy Mark as default policy for passwords.
NOTE: The password policy "One Identity Manager

password policy" is marked as the default policy. This
password policy is applied if no other password policies
can be found.
Policy Settings
Define the following settings for a password policy on the Password tab.
Table 14: Policy Settings
Property Meaning
Initial password Initial password for new user accounts. If no password is

given when the user account is added or a random password
is generated, the initial password is used.
Password confirmation Reconfirm password.
Min. Length Minimum length of the password. Specify the number of

characters a password must have.
Max. length Maximum length of the password. Specify the number of

characters a password can have.
Max. errors Maximum number of errors. Set the number of invalid

passwords. If the user has reached this number the user
account is blocked.
Validity period Maximum age of the password. Enter the length of time a
password can be used before it expires.
Password history Enter the number of passwords to be saved. If the value '5' is
entered, for example, the last 5 passwords of the user are

Property Meaning
saved.
Min. password strength Specifies how secure the password must be. The higher the
password strength, the more secure it is. The password
strength is not tested if the value is '0'. The values '1', '2', '3'
and '4' gauge the required complexity of the password. The
value '1' demands the least complex password. The value '4'
demands the highest complexity.
Name properties denied Specifies whether name properties are permitted in the
password.
Character Sets for Passwords

Use the Character classes tab to specify which characters are permitted for a password.
Table 15: Character Classes for Passwords
Property Meaning
Min. letters Specifies the minimum number of alphabetical characters

the password must contain.
Min. number lower case Specifies the minimum number of lowercase letters the
password must contain.
Min. number uppercase Specifies the minimum number of uppercase letters the
password must contain.
Min. number digits Specifies the minimum number of digits the password must
contain.
Min. number special Specifies the minimum number of special characters the
characters password must contain.
Permitted special List of permitted characters.

characters
Denied special characters List of characters, which are not permitted.
Max. identical characters Maximum number of identical characters that can be

in total present in the password in total.
Max. identical characters Maximum number of identical character that can be

in succession repeated after each other.

Custom Scripts for Password Requirements
You can implement custom scripts for testing and generating password if the password
requirements cannot be mapped with the existing settings options. Scripts are applied in
addition to the other settings.
l Script for Checking a Password on page 57

l Script for Generating a Password on page 58
Script for Checking a Password

You can implement a check script if additional policies need to be used for checking a
password, which cannot be mapped with the available settings.
Syntax for Check Scripts

Public Sub CCC_CustomPwdValidate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)
With parameters:
policy = password policy object
spwd = password to test
TIP: To use a base object, take the property Entity of the PasswordPolicy class.
Example for a script for testing a password
A password cannot have '?' or '!' at the beginning. The script checks a given password
for validity.
Public Sub CCC_PwdValidate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
Dim pwd = spwd.ToInsecureArray()
If pwd.Length>0
If pwd(0)="?" Or pwd(0)="!"
Throw New Exception(#LD("Password can't start with '?' or '!'")#)
End If
End If
If pwd.Length>2
If pwd(0) = pwd(1) AndAlso pwd(1) = pwd(2)

Throw New Exception(#LD("Invalid character sequence in password")#)
End If
End If
End Sub
To use a custom script for checking a password
1. Create your script in the category Script Library in the Designer.

2. Edit the password policy.
a. Select the category Manager | Basic configuration data | Password
policies in the Azure Active Directory.
b. Select the password policy in the result list.
d. Enter the name of the script to test the password in Check script on the
Scripts tab.
Related Topics
l Script for Generating a Password on page 58
Script for Generating a Password

You can implement a generating script if additional policies need to be used for generating
a random password, which cannot be mapped with the available settings.
Syntax for Generating Script

Public Sub CCC_PwdGenerate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
With parameters:
policy = password policy object
spwd = generated password
TIP: To use a base object, take the property Entity of the PasswordPolicy class.
Example for a script to generate a password
The script replaces the invalid characters '?' and '!' in random passwords.
Public Sub CCC_PwdGenerate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
Dim pwd = spwd.ToInsecureArray()

' replace invalid characters at first position
If pwd.Length>0
If pwd(0)="?" Or pwd(0)="!"
spwd.SetAt(0, CChar("_"))
End If
End If
End Sub
To use a custom script for generating a password
1. Create your script in the category Script Library in the Designer.

2. Edit the password policy.
a. Select the category Manager | Basic configuration data | Password
policies in the Azure Active Directory.
b. Select the password policy in the result list.
d. Enter the name of the script to generate a password in Generation script on
the Scripts tab.
Related Topics
l Script for Checking a Password on page 57
Restricted Passwords
You can add words to a list of restricted terms to prohibit them from being used in
passwords.
NOTE: The restricted list applies globally to all password policies.
To add a term to the restricted list
1. Select the category Base Data | Security Settings | Restricted passwords in

the Designer.
2. Create a new entry with the menu item Object | New an enter the term to excluded
to the list.

Testing a Password
When you test a password, all the password policy settings, custom scripts and the
restricted passwords are taken into account.
To test whether a password conforms to the password policy

2. Select the password policy in the result list.
4. Select the Test tab.
5. Select the table and object to be tested in Base object for test.
6. Enter a password in Enter password to test.
A display next to the password shows whether it is valid or not.
Testing Generating a Password

When you generate a password, all the password policy settings, custom scripts and the
restricted passwords are taken into account.
To generate a password that conforms to the password policy

4. Select the Test tab.
5. Click Generate.
This generates and displays a password.
Assigning a Password Policy

The password policy "Azure Active Directory password policy" is predefined for Azure
Active Directory. You can apply this password policy to Azure Active Directory user
accounts (AADUser.Password) of an Azure Active Directory tenant.
If the tenants' password requirements differ, it is recommended that you set up your own
password policies for each tenant.

IMPORTANT: If you are not working with target system specific password policies,
the default policy applies. In this case, ensure that the password policy "One Identity
Manager password policy" does not violate the target system requirements.
To reassign a password policy

3. Select Assign objects in the task view.
4. Click Add in the Assignments section and enter the following data.
Table 16: Assigning a Password Policy
Apply to Application scope of the password policy.
To specify an application scope

a. Click next to the text box.
b. Select the table which contains the password column
under Table.
c. Select the specific target system under Apply to.
d. Click OK.
Password The password column's identifier.

column
Password policy The identifier of the password policy to be used.
To change a password policy's assignment

3. Select Assign objects in the task view.
4. Select the assignment you want to change in Assignments.
5. Select the new password policy to apply from the Password Policies menu.

Initial Password for New Azure Active
Directory User Accounts
Table 17: Configuration Parameters for Formatting Initial Passwords for User
Accounts
Configuration parameter Meaning
QER\Person\UseCentralPassword This configuration parameter

specifies whether the employee's
central password is used in the user
accounts. The employee’s central
password is automatically mapped to
the employee’s user account in all
permitted target systems. This
excludes privileged user accounts,
which are not updated.
QER\Person\UseCentralPassword\PermanentStore This configuration parameter

controls the storage period for
central passwords. If the parameter
is set, the employee’s central
password is permanently stored. If
the parameter is not set, the central
password is only used for publishing
to existing target system specific
user accounts and is subsequently
deleted from the One Identity
Manager database.
TargetSystem\AzureAD\Accounts\ This configuration parameter

InitialRandomPassword specifies whether a random
generated password is issued when a
new user account is added. The
password must contain at least those
character sets that are defined in the
password policy.
You have the following possible options for issuing an initial password for a new Azure
Active Directory user account.
1. User the employee's central password. The employee’s central password is mapped
to the user account password.
l Set the configuration parameter "QER\Person\UseCentralPassword" in the
Designer.
If the configuration parameter "QER\Person\UseCentralPassword" is set, the
employee's central password is automatically mapped to an employee's user

account in each of the target systems. This excludes privileged user accounts,
which are not updated.
l Use the configuration parameter
"QER\Person\UseCentralPassword\PermanentStore" in the Designer to specify
whether an employee’s central password is permanently saved in the One
Identity Manager database or only until the password has been published in the
target system.
The password policy "Employee central password policy" is used to format the
central password.
IMPORTANT: Ensure that the password policy "Employee central password

policy" does not violate the target system specific password requirements.
2. Create user accounts manually and enter a password in their master data.
3. Specify an initial password to be used when user accounts are created automatically.
l Apply the target system specific password policies and enter an initial
password in the password policies.
4. Assign a randomly generated initial password to enter when you create user
accounts.
l Set the configuration parameter
"TargetSystem\AzureAD\Accounts\InitialRandomPassword" in the Designer.
l Apply target system specific password policies and define the character sets
that the password must contain.
l Specify which employee will receive the initial password by email.
Related Topics
l Password Policies on page 53

l Email Notifications about Login Data on page 63
Email Notifications about Login Data

Table 18: Configuration Parameters for Notifications about Login Data
TargetSystem\ This configuration parameter specifies to which

AzureAD\Accounts\ employee the email with the random generated
InitialRandomPassword\SendTo password should be sent (manager cost
center/department/location/business role, employee’s
manager or XUserInserted). If no recipient can be
found, the password is sent to the address stored in
the configuration parameter

"TargetSystem\AzureAD\DefaultAddress".
TargetSystem\ This configuration parameter contains the name of the

AzureAD\Accounts\ mail template sent to inform users about their initial
InitialRandomPassword\SendTo\ login data (name of the user account). Use the mail
MailTemplateAccountName template "Employee - new account created".
TargetSystem\ This configuration parameter contains the name of the

AzureAD\Accounts\ mail template sent to inform users about their initial
InitialRandomPassword\SendTo\ login data (initial password). Use the mail template
MailTemplatePassword "Employee - initial password for new user account".
TargetSystem\ The configuration parameter contains the recipient's

AzureAD\DefaultAddress default email address for sending notifications about
actions in the target system.
You can configure the login information for new user accounts to be sent by email to a
specified person. In this case, two messages are sent with the user name and the initial
password. Mail templates are used to generate the messages. The mail text in a mail
template is defined in several languages, which means the recipient’s language can be
taken into account when the email is generated. Mail templates are supplied in the default
installation with which you can configure the notification procedure.
To use email notifications about login data
1. Ensure that the email notification system is configured in One Identity Manager. For
more detailed information, see the .One Identity Manager Configuration Guide
2. Enable the configuration parameter "Common\MailNotification\DefaultSender" in the
Designer and enter the email address for sending the notification.
3. Ensure that all employees have a default email address. Notifications are sent to this
address. For more detailed information, see the .One Identity Manager Identity
Management Base Module Administration Guide
4. Ensure that a language culture can be determined for all employees. Only then can
they receive email notifications in their own language. For more detailed
information, see the .One Identity Manager Identity Management Base Module
Administration Guide
When a randomly generated password is issued for the new user account, the initial login
data for a user account is sent by email to a previously specified person.
To send initial login data by email
1. Set the configuration parameter

"TargetSystem\AzureAD\Accounts\InitialRandomPassword" in the Designer.
"TargetSystem\AzureAD\Accounts\InitialRandomPassword\SendTo" in the Designer
and enter the message recipient as the value.

"TargetSystem\
AzureAD\Accounts\InitialRandomPassword\SendTo\MailTemplateAccountName" in
the Designer.
By default, the message sent uses the mail template "Employee - new account
created". The message contains the name of the user account.
4. Set the confiugration parameter
"TargetSystem\
AzureAD\Accounts\InitialRandomPassword\SendTo\MailTemplatePassword" in the
Designer.
By default, the message sent uses the mail template "Employee - initial password for
new user account". The message contains the initial password for the user account.
TIP: Change the value of the configuration parameter in order to use custom mail
templates for these mails.
Target System Managers

For more detailed information about implementing and editing application roles, see the
One Identity Manager Application Roles Administration Guide.
Implementing Application Roles for Target System Managers
1. The One Identity Manager administrator assigns employees to be target

system managers.
2. These target system managers add employees to the default application role for
target system managers.
The default application role target system managers are entitled to edit all tenants in
3. Target system managers can authorize more employees as target system managers,
within their scope of responsibilities and create other child application roles and
assign individual tenants.
Table 19: Default Application Roles for Target System Managers
User Task
Target Target system managers must be assigned to the application role Target
System systems | Azure Active Directory or a sub application role.
Managers
l Assume administrative tasks for the target system.

l Create, change or delete target system objects, like user accounts

User Task
or groups.
l Edit password policies for the target system.
l Prepare groups for adding to the IT Shop.
l Configure synchronization in the Synchronization Editor and defines
the mapping for comparing target systems and One Identity
Manager.
l Edit the synchronization's target system types and outstanding
objects.
l Authorize other employees within their area of responsibility as
target system managers and create child application roles if
required.
To initially specify employees to be target system administrators
1. Log in to the Manager as One Identity Manager administrator (application role Base
role | Administrators)
2. Select the category One Identity Manager Administration | Target systems |
Administrators.
3. Select Assign employees in the task view.
4. Assign the employee you want and save the changes.
To add the first employees to the default application as target system

managers.
1. Log yourself into the Manager as target system administrator (application role
Target systems | Administrator).
2. Select the category One Identity Manager Administration | Target systems |
Azure Active Directory.
4. Assign the employees you want and save the changes.
To authorize other employees as target system managers when you are a

target system manager
1. Login to the Manager as target system manager.

2. Select the application role in the category Azure Active Directory | Basic
configuration data | Target system managers.
4. Assign the employees you want and save the changes.

To define target system managers for individual tenants.
1. Login to the Manager as target system manager.

2. Select the category Azure Active Directory | Tenants.
3. Select the tenant from the result list.
5. Select the application role on the General tab in the Target system
manager menu.
- OR -
Click next to the Target system manager menu to create a new application role.
l Enter the application role name and assign the parent application role Target
system | Azure Active Directory.
l Click OK to add the new application role.
7. Assign the application role to employees, who are authorized to edit the tenant in
Related Topics
l One Identity Manager Users for Managing an Azure Active Directory System
on page 9
l Azure Active Directory Tenant on page 73
Editing a Server
Servers must know your server functionality in order to handle Azure Active Directory
specific processes in One Identity Manager. For example, the synchronization server.
You have several options for defining a server's functionality:
l Create an entry for the Job server in the category Base Data | Installation | Job
server in the Designer. For detailed information, see the One Identity Manager
Configuration Guide.
l Select an entry for the Job server in the category Manager | Basic configuration
data | Server in the Azure Active Directory and edit the Job server master data.
Use this task if the Job server has already been declared in One Identity Manager and
you want to configure special functions for the Job server.
NOTE: One Identity Manager Service must be installed, configured and started in
order for a server to execute its function in the One Identity Manager network.
Proceed as follows in the One Identity Manager Installation Guide.

To edit a Job server and its functions

Server in the Manager.
2. Select the Job server entry in the result list.
4. Edit the Job server's master data.
5. Select Assign server functions in the task view and specify server functionality.
l Master Data for a Job Server on page 68

l Specifying Server Functions on page 70
Master Data for a Job Server
NOTE: All editing options are available to you in the Designer, in the category Base
Data | Installation | Job server.
Table 20: Job Server Properties
Property Meaning
Server Job server name.
Full Full server name in accordance with DNS syntax.

server Example:
name
<Name of servers>.<Fully qualified domain name>
Target Computer account target system.

System
Language Language of the server.

culture
Server is Specifies whether the server maps a cluster.

cluster
Server Cluster to which the server belongs.

belongs
to cluster NOTE: The properties Server is cluster and Server belongs to
cluster are mutually exclusive.
IP Internet protocol version 6 (IPv6) server address.

address

Property Meaning
(IPv6)
IP Internet protocol version 4 (IPv4) server address.

address
(IPv4)
Copy Permitted copying methods that can be used when this server is the source of
process a copy action. Only the methods "Robocopy" and "Rsync" are currently
(source supported.
server) If no method is given, the One Identity Manager Service determines the
operating system of the server during runtime. Replication then takes place
between servers with a Windows operating system using "Robocopy" and
between servers with the Linux operating system using "rsync". If the
operating systems of the source and destination servers differ, it is important
that the right copy method is applied for successful replication. A copy
method is chosen that supports both servers.
Copy Permitted copying methods that can be used when this server is the destin-
process ation of a copy action.
(target
server)
Coding Character set coding that is used to write files to the server.
Parent Name of the parent Job server.

Job
server
Executing Name of the executing server. The name of the server that exists physically
server and where the processes are handled.
This input is evaluated when One Identity Manager Service is automatically
updated. If the server is handling several queues the process steps are not
supplied until all the queues that are being processed on the same server
have completed their automatic update.
Queue Name of the queue to handle the process steps. Each One Identity Manager
Service within the network must have a unique queue identifier. The process
steps are requested by the job queue using exactly this queue name. The
queue identifier is entered in the One Identity Manager Service configuration
file.
Server Operating system of the server. This input is required to resolve the path
operating name for replicating software profiles. Permitted values are "Win32",
system "Windows", "Linux" and "Unix". If the input is empty, "Win32" is assumed.
Service One Identity Manager Service user account information. In order to replicate
account between non-trusted systems (non-trusted domains, Linux server) the One
data Identity Manager Service user information has to be declared for the servers
in the database. This means that the service account, the service account

Property Meaning
domain and the service account password have to be entered for the server.
One Specifies whether a One Identity Manager Service is installed on this server.
Identity This option is enabled by the procedure QBM_PJobQueueLoad the moment the
Manager queue is called for the first time.
Service The option is not automatically removed. If necessary, you can reset this
installed option manually for servers whose queue is no longer enabled.
Stop One Specifies whether the One Identity Manager Service has stopped. If this
Identity option is set for the Job server, the One Identity Manager Service does not
Manager process any more tasks.
Service You can make the service start and stop with the appropriate administrative
permissions in program "Job Queue Info".
No Specifies whether to exclude the server from automatic software updating.

automatic
software NOTE: Servers must be manually updated if this option is set.
update
Software Specifies whether a software update is currently being executed.

update
running
Server Server functionality in One Identity Manager. One Identity Manager

Function processes are handled depending on the server function.
Related Topics
l Specifying Server Functions on page 70
Specifying Server Functions
NOTE: All editing options are available to you in the Designer, in the category Base
Data | Installation | Job server.
The server function defines the functionality of a server in One Identity Manager. One
Identity Manager processes are handled depending on the server function.
NOTE: More server functions may be available depending on which modules are
installed.

Table 21: Permitted Server Functions
Server Remark
Function
Azure Active Server on which the Azure Active Directory connector is installed. This
Directory server executes synchronization with the target system Azure Active
connector (via Directory.
Microsoft
Graph)
CSV connector Server on which the CSV connector for synchronization is installed.
Domain The Active Directory domain controller. Servers that are not labeled as
controller domain controller are considered to be member servers.
Printer server Server which acts as a print server.
Generic server Server for generic synchronization with a custom target system.
Home server Server for adding home directories for user accounts.
Update Server This server executes automatic software updating of all other servers.
The server requires a direct connection to the database server that the
One Identity Manager database is installed on. The server can execute
SQL tasks.
The server with the installed One Identity Manager database, is labeled
with this functionality during initial installation of the schema.
SQL processing This server can process SQL tasks. Several SQL processing servers can
server be set up to spread the load of SQL processes. The system distributes
the generated SQL processes throughout all the Job servers with this
server function.
Native database The server can connect to an ADO.Net database.

connector
One Identity Server on which the One Identity Manager connector is installed. This
Manager server executes synchronization with the target system One Identity
database Manager.
connector
One Identity Server on which a One Identity Manager Service is installed.

Manager
Service
installed
Primary domain Primary domain controller.

controller
Profile Server Server for setting up profile directories for user accounts.
SAM Server for running synchronization with an SMB-based target system.

Server Remark
Function
synchronization
Server
SMTP host Server from which the One Identity Manager Service sends email
notifications. Prerequisite for sending mails using the One Identity
Manager Service is SMTP host configuration.
Default report Server on which reports are generated.

server
Windows The server can run Windows PowerShell version 3.0 or later.
PowerShell
connector
Related Topics
l Master Data for a Job Server on page 68

4
Azure Active Directory Core

Directories
For more detailed information about the Azure Active Directory structure, see the Azure
Active Directory documentation from Microsoft.
You must provide details about for organization the first time you register for a Microsoft
cloud service. This detailed information is used to make a new Azure Active Directory
directory partition. The organization represents one Azure Active Directory tenant. You can
edit the master data of each tenant in the One Identity Manager. You cannot create new
tenants in the One Identity Manager.
A base domain is linked to the core directory in the cloud. You can also add other user
defined domains in Azure Active Directory, which you can then allocate to Microsoft cloud
services. One Identity Manager only loads verified domain data into the database. It is not
possible to edit data in One Identity Manager.
l Azure Active Directory Tenant on page 73

l Azure Active Directory Domains on page 77
Azure Active Directory Tenant

You must provide details about for organization the first time you register for a Microsoft
cloud service. This detailed information is used to make a new Azure Active Directory
directory partition. The organization represents one Azure Active Directory tenant. You can
edit the master data of each tenant in the One Identity Manager. You cannot create new
tenants in the One Identity Manager.
To edit Azure Active Directory tenant master data


Azure Active Directory Core Directories
4. Edit the tenant's master data.
l General Master Data for a Azure Active Directory Tenant on page 74

l Local Active Directory Data on page 76
l Specifying Categories for Inheriting Permissions on page 76
General Master Data for a Azure Active

Directory Tenant
Enter the following data on the General tab:
Table 22: Tenant Master Data
Display The tenant’s display name.

name
Account Initial account definition for creating user accounts. This account
definition definition is used if automatic assignment of employees to user accounts
(initial) is used for this tenant and user accounts should be created which are
already managed (state "linked configured"). The account definition's
default manage level is applied.
User accounts are only linked to the employee (state "Linked") if no
account definition is given. This is the case on initial synchronization, for
example.
Target Application role in which target system managers are specified for the
System tenant. Target system managers only edit tenant objects that are
Managers assigned to them. Each tenant can have a different target system
manager assigned to it.
Select the One Identity Manager application role whose members are
responsible for administration of this tenant. Use the button to add a
new application role.
Location The tenant's location.
Street Street or road.
Town City.
Zip code Zip code.

Country Country.
Synchronized NOTE: You can only specify the synchronization type when adding a
by new tenant. No changes can be made after saving.
Use "One Identity Manager" when you create a tenant with the
Synchronization Editor.
Type of synchronization through which the data is synchronized between

the tenant and One Identity Manager.
Table 23: Permitted Values
Value Synchronization by Provisioned by
One Identity Azure Active Directory Azure Active Directory

Manager connector connector
No none none
synchronization
NOTE: If you select "No synchronization" you can define custom

processes to exchange data between One Identity Manager and the
target system.
Recipients List of recipients of marketing notifications.

(marketing
notifications)
Recipient List of recipients of technical notifications.

(technical
notifications)
Recipients List of recipients of security notifications.

(security
notifications)
Phone Phone numbers for security notifications.

numbers
(security
notifications)
Related Topics

on page 94
l Target System Managers on page 65

Local Active Directory Data
The Linked tab shows information about the local Active Directory, which is linked to the
Azure Active Directory tenant.
Table 24: Local Active Directory User Account Data
Synchronization with local Specifies whether synchronization with a local Active

Active Directory enabled Directory is enabled.
Last synchronization Time of the last Azure Active Directory tenant

synchronization with the local Active Directory.
Specifying Categories for Inheriting

Permissions
In One Identity Manager, groups, administrative roles, subscriptions and disabled service
plans can be selectively inherited by user accounts. For this, groups(administrative roles,
subscriptions and disabled service plans) and user accounts are divided into categories.
The categories can be freely selected and are specified by a template. Each category is
given a specific position within the template. The mapping rule contains different tables.
Use the user account table to specify categories for target system dependent user
accounts. Enter your categories for the structural profiles, administrative roles,
subscriptions and disabled service plans in the other tables. Each table contains the
category items "Position1" to "Position31".
To define a category

4. Switch to the Mapping rule category tab.
5. Expand the respective base node of a table.
6. Click to enable category.
7. Enter a name for the user account and group categories (administration roles,
subscriptions, disabled service plans) in the current language.

Related Topics
l Azure Active Directory Group Inheritance Based on Categories on page 114

l Azure Active Directory Administrator Role Inheritance Based on Categories on
page 126
l Inheriting Azure Active Directory Subscriptions based on Categories on page 137
l Inheritance of Disabled Azure Active Directory Service Plans Based on
Categories on page 146
How to Edit a Synchronization Project

Synchronization projects, in which a tenant is already used as a base object, can also be
opened using the Manager. You can, for example, check the configuration or view the
synchronization log in this mode. The Synchronization Editor is not started with its full
functionality. You cannot run certain functions, such as, running synchronization or
simulation, starting the target system browser and others.
NOTE: The Manager is locked for editing throughout. To edit objects in the Manager,
close the Synchronization Editor.
To open an existing synchronization project in the Synchronization Editor

2. Select the tenant from the result list. Select Change master data in the task view.
3. Select Edit synchronization project... from the task view.
Related Topics
Azure Active Directory Domains

A base domain is linked to the core directory in the cloud. You can also add other user
defined domains in Azure Active Directory, which you can then allocate to Microsoft cloud
services. One Identity Manager only loads verified domain data into the database. It is not
possible to edit data in One Identity Manager.
To obtain an overview of a domain
1. Select the category Azure Active Directory | Verified domains.

2. Select the domain in the result list.

3. Select Azure Active Directory domain overview in the task view.
Table 25: Domain Master Data
Domain Full name of the domain.

name
Tenant Tenant entered for this domain.
Type Domain type.
Primary Specifies whether this is the primary domain for created new user
domain accounts, for example.
Initial Specifies whether this is the initial domain. The initial domain is create
domain when a tenant is registered in Azure Active Directory.
Available List of service available in this domain.

services

5
Azure Active Directory User

Accounts
You manage user account in One Identity Manager with Azure Active Directory. The user
requires a subscription to access a service plan in Azure Active Directory. User accounts
obtain the required access rights to the resources through membership in groups.
l Linking User Accounts to Employees on page 79

l Supported User Account Types on page 80
l Entering Master Data for Azure Active Directory User Accounts on page 84
Linking User Accounts to Employees

The central component of the One Identity Manager is to map employees and their master
data with permissions through which they have control over different target systems. For
this purpose, information about user accounts and permissions can be read from the target
system into the One Identity Manager database and linked to employees. This gives an
overview of the permissions for each employees in all of the connected target systems.
One Identity Manager provides the possibility to manage user accounts and their
permissions. You can provision modifications in the target systems. Employees are
supplied with the necessary permissions in the connected target systems according to their
function in the company. Regular synchronization keeps data consistent between target
systems and the One Identity Manager database.
Because requirements vary between companies, the One Identity Manager offers different
methods for supplying user accounts to employees. One Identity Manager supports the
following method for linking employees and their user accounts.
l Employees and user accounts can be entered manually and assigned to each other.
l Employees can automatically obtain their account definitions using user account
resources. If an employee does not have a user account in a tenant, a new user

Azure Active Directory User Accounts
account is created. This is done by assigning account definitions to an employee
using the integrated inheritance mechanism followed by process handling.
When you manage account definitions through user accounts, you can specify the
way user accounts behave when employees are enabled or deleted.
NOTE: If employees obtain their user accounts through account definitions,

they have to have a central user account and obtain their company IT data
through assignment to a primary department, primary location or a primary
cost center.
l An existing employee is automatically assigned when a user account is added or a

new employee is created if necessary. In this case, employee master data is created
on the basis of the existing user account master data. This mechanism can be
implemented if a new user account is created manually or by synchronization. This
method, however, is not the One Identity Manager default method. Define criteria for
finding employees for automatic employee assignment.
Related Topics
on page 94
l For more detailed information about handling and administration of employees and
user accounts, see the One Identity Manager Target System Base Module
Supported User Account Types

Different types of user accounts, such as default user accounts, administrative user
accounts or service accounts, can be mapped in One Identity Manager.
The following properties are used for mapping different user account types.
l Identity (column IdentityType)

The identity describes the type of user account.
Table 26: Identities of User Accounts
Identity Description Value of the

column
"IdentityType"
Primary Employee's default user account. Primary

Identity Description Value of the
column
"IdentityType"
identity
Organizational Secondary user account used for various roles Organizational

identity within the organization, f. ex. In sub-agree-
ments with other functional areas.
Personalized User account with administration rights used by Admin

admin identity one person.
Sponsored User account used for example for training Sponsored

identity purposes.
Shared User account with administration rights used by Shared

identity several people.
Service Service account. Service

identity
l Privileged user account (column IsPrivilegedAccount)

Use this option to flag user accounts with special, privileged permissions. This
includes administrative user accounts or service accounts, for example. This option
is not used to flag default user accounts.
Default User Accounts
Normally, each employee obtains a default user account, which has the permissions they
require for their regular work. The user accounts are linked to the employee. The effect of
the link and the scope of the employee’s inherited properties on the user accounts can be
configured through an account definition and its manage levels.
To create default user accounts through account definitions
1. Create an account definition and assign the manage level "Unmanaged" or "Full
managed" to it.
2. Specify the effect of temporarily or permanently disabling, deleting or the
security risk of an employee on its user accounts and group memberships for
each manage level.
3. Create a formatting rule for IT operating data.
An account definition specifies which rules are used to generate the IT operating data
for example, whether the container for a user account is made up of the employee's
department, cost center, location or business role and which default values will be
used if no IT operating data can be found through the employee's primary roles.
Which IT operating data is required, depends on the target system. The following
setting are recommended for default user accounts:

l Use the default value "1" in the formatting rule for the column IsGroupAccount
and set the option Always use default value.
l Use the default value "primary" in the formatting rule for the column
IdentityType and set the option Always use default value.
4. Enter the effective IT operating data for the target system. Select the concrete target
system under Effects on.
Specify in the departments, cost centers, locations or business roles, which IT
operating data should apply when you set up a user account.
5. Assign the account definition to employees.
When the account definition is assigned to an employee, a new user account is
created through the inheritance mechanism and subsequent processing.
Administrative User Accounts
An administrative user account must be used for certain administrative tasks.

Administrative user accounts are normally predefined in the target system and have fixed
identifiers and login names, for example, "Administrator".
Administrative user accounts are loaded through synchronization into the One Identity
Manager. To assign a manager to administrative user accounts, assign an employee to the
user account in One Identity Manager.
NOTE: You can automatically label administrative user accounts as privileged user
accounts. To do this, set the schedule "Mark selected user accounts as privileged" in
the Designer.
Privileged User Accounts
Privileged user accounts are used to provide employees with additional privileges. This
includes administrative user accounts or service accounts, for example. The user accounts
are marked with the property Privileged user account (IsPrivilegedAccount).
NOTE: The criteria used to label user accounts automatically as privileged, are
defined as extensions to the view definition (ViewAddOn) on the table
TSBVAccountIsPrivDetectRule (table type "Union"). The evaluation is done in the script
TSB_SetIsPrivilegedAccount.
To create privileged users through account definitions
1. Create an account definition. Create a new manage level for privileged user accounts
and assign this manage level to the account definition.
2. If you want to prevent properties for privileged user accounts being overwritten, set
the property IT operating data overwrites for the manage level, to the value
"Only initially". In this case, the properties are populated just once when the user
accounts is created.

3. Specify the effect of temporarily or permanently disabling, deleting or the
security risk of an employee on its user accounts and group memberships for
each manage level.
4. Create a formatting rule for IT operating data.
An account definition specifies which rules are used to generate the IT operating data
for example, whether the container for a user account is made up of the employee's
department, cost center, location or business role and which default values will be
used if no IT operating data can be found through the employee's primary roles.
Which IT operating data is required, depends on the target system. The following
settings are recommended for privileged user accounts:
l Use the default value "1" in the formatting rule for the column
IsPrivilegedAccount and set the option Always use default value.
l You can also specify a formatting rule for the column IdentityType. The column
owns different permitted values, which represent user accounts.
l To prevent privileged user accounts inheriting default user groups, define a
template for the column IsGroupAccount with the default value "0" and set the
option Always use default value.
5. Enter the effective IT operating data for the target system.
Specify in the departments, cost centers, locations or business roles, which IT
operating data should apply when you set up a user account.
6. Assign the account definition directly to employees who work with privileged
user accounts.
When the account definition is assigned to an employee, a new user account is
created through the inheritance mechanism and subsequent processing.
NOTE: Specify a formatting rule for a naming schema if it is required by the company
for privileged user account login names.
To use a prefix with a login name, set the configuration parameter
"TargetSystem\AzureAD\Accounts\PrivilegedAccount\AccountName_Prefix" in the
Designer. To use a postfix with a login name, set the configuration parameter
"TargetSystem\AzureAD\Accounts\PrivilegedAccount\AccountName_Postfix" in the
Designer.
These configuration parameters are evaluated in the default installation, if a user
account is marked with the property Privileged user account
(IsPrivilegedAccount). The user account login names are renamed according to the
formatting rules. This also takes place if the user accounts are labeled as privileged
by the schedule "Mark selected user accounts as privileged".

Entering Master Data for Azure Active
A user account can be linked to an employee in the One Identity Manager. You can also
manage user accounts separately from employees.
NOTE: It is recommended to use account definitions to set up user accounts for

company employees. In this case, some of the master data described in the following
is mapped through templates from employee master data.
NOTE: If employees obtain their user accounts through account definitions, they have
to have a central user account and obtain their company IT data through assignment
to a primary department, primary location or a primary cost center.
TIP: You can combine the account definition for creating the user account and the
subscription that will be used into one system role. in this way, the employee
automatically obtains a user account and a subscription.
An employee can obtain this system role directly, through departments, cost centers,
location or business roles or by IT Shop request.
To edit master data for a user account
1. Select the category Azure Active Directory | User accounts.

2. Select the user account in the result list and run the task Change master data.
- OR-
3. Edit the user account's resource data.
To manually assign or create a user account for an employee
1. Select the Employees | Employees.

2. Select the employee in the result list and run Assign Azure Active Directory user
accounts from the task view.
3. Assign a user account.
l General Master Data for a Azure Active Directory User Account on page 85
l Contact Data for a Azure Active Directory User Account on page 88
l Organizational Data for an Azure Active Directory User Account on page 88
l Active Directory User Account Local Data on page 89

Related Topics

l Azure Active Directory Subscriptions and Service Plans on page 128
General Master Data for a Azure Active

Directory User Account
Table 27: Additional Master Data for a User Account
Employee Employee that uses this user account. An employee is already entered if
the user account was generated by an account definition. If you create the
user account manually, you can select an employee in the menu. If you
use automatic employee assignment, an associated employee is created
and entered into the user account when the user account is saved.
Account Account definition through which the user account was created.
definition
Use the account definition to automatically fill user account master data
and to specify a manage level for the user account. The One Identity
Manager finds the IT operating data of the assigned employee and enters it
in the corresponding fields in the user account.
NOTE: The account definition cannot be changed once the user

account has been saved.
To create the user account manually through an account definition, enter

an employee in the Employee box. You can select all the account
definitions assigned to this employee and through which no user account
has been created for this employee.
Manage User account's manage level. Select a manage level from the menu. You
level can only specify the manage level can if you have also entered an account
definition. All manage levels of the selected account definition are
available in the menu.
Tenant User account's tenant.
Domain User account's user account.
Location Location where this user account is in use.
First name The user’s first name. If you have assigned an account definition, the input
field is automatically filled out with respect to the manage level.

Last name The user’s last name. If you have assigned an account definition, the input
User login User account login name. The user's login name is made up of the alias
name and the domain. User login names that are formatted like this correspond
to the User Principal Name (UPN) in Azure Active Directory.
Alias Email alias for the user account.
Preferred User's preferred language, for example "en-US".

language
Password Password for the user account. Depending on the configuration parameter
"Person\UseCentralPassword" the employee’s central password can be
mapped to the user account‘s password. If you use an initial password for
the user accounts, it is automatically entered when a user account is
created.
NOTE: One Identity Manager password policies are taken into

account when a user password is being verified. Ensure that the
password policy does not violate the target system's requirements.
Password Reconfirm password.

confirmation
Change Specifies whether the user must change their password the next time they
password log in.
the next
time you log
in
Password Policies, which only apply to the user account. The available options are:
policies No restrictions, Password never expires and Allow weak
passwords.
Risk index Maximum risk index values for all assigned . This property is only visible if
(calculated) the configuration parameter "QER\CalculateRiskIndex" is set. For more
detailed information, see the .One Identity Manager Risk Assessment
Administration Guide
Category Categories for the inheritance of groups by the user account. Select one or
more categories from the menu. Groups can be selectively inherited by
user accounts. To do this, groups and user accounts or contacts are divided
into categories.
Identity User account's identity type

Table 28: Permitted values for the identity.
Value Description
Primary Employee's default user account.

identity
Organizational Secondary user account used for different roles in the

identity organization, for example for subcontracts with other
functional areas.
Personalized User account with administrative permissions, used by

admin identity one employee.
Sponsored User account that is used for training purposes, for

identity example.
Shared User account with administrative permissions, used by

identity several employees.
Service Service account.

identity
Privileged Specifies whether this is a privileged user account.

user account
Groups can Specifies whether the user account groups can inherit through the
be inherited employee. If this option is set, the user account inherits groups through
hierarchical roles or IT Shop requests.
l If you add an employee with a user account to a department, for

example, and you have assigned groups to this department, the user
account inherits these groups.
l If an employee has requested group membership in the IT Shop and
the request is granted approval, the employee's user account only
inherits the group if the option is set.
User Specifies whether the user account is disable. If a user account is not
account is required for a period of time, you can temporarily disable the user account
disabled by using the option <User account is deactivated>.
Related Topics

l Password Policies on page 53
l Linking User Accounts to Employees on page 79
l Disabling Azure Active Directory User Accounts on page 99

Contact Data for a Azure Active Directory
User Account
Enter the following address data for contacting the employee on the Contact tab.
Table 29: Contact data
Street Street or road. If you have assigned an account definition, the input field is
automatically filled out with respect to the manage level.
State State. If you have assigned an account definition, the input field is
Town City. If you have assigned an account definition, the input field is
automatically filled out with respect to the manage level. Locations can be
automatically generated and employees assigned based on the town.
Zip code Zip code. If you have assigned an account definition, the input field is
Country The country ID.
Business Business telephone numbers.

phones
Mobile Mobile number. If you have assigned an account definition, the input field is
phone automatically filled out with respect to the manage level.
Email User account's email address.

address
Proxy Other email addresses for the user. You can also add other mail connectors
addresses (for example, CCMail, MS) in addition to the standard address type (SMTP,
X400).
Use the following syntax to set up other proxy addresses:
Address type: new email address
Organizational Data for an Azure Active

Directory User Account
Enter the following organizational master data on the Organizational tab.

Table 30: Organizational Master Data
Office Office. If you have assigned an account definition, the input field is
Company Employee's company. If you have assigned an account definition, the input
Department Employee's department If you have assigned an account definition, the

input field is automatically filled out with respect to the manage level.
Departments can be automatically generated and employees assigned
based on the department data.
Job Job description. If you have assigned an account definition, the input field is
description automatically filled out with respect to the manage level.
Account Manager responsible for the user account.
manager
To specify an account manager
1. Click next to the text box.

2. Under Table, select the table which maps the account manager.
3. Select the manager under Account manager.
4. Click OK.
Active Directory User Account Local Data

The Linked tab shows information about the local Active Directory user account, which is
linked to the Azure Active Directory user account.
Table 31: Local Active Directory User Account Data

Last synchronization Time of the last Azure Active Directory user account
SID of the local account. Security ID of the local Active Directory user account.
Immutable identifier An identifier which cannot be changed to maintain the

relation between Active Directory and Azure Active
Directory.

Additional Tasks for Managing Azure
Active Directory User Accounts
After you have entered the master data, you can apply different tasks to it. The task view
contains different forms with which you can run the following tasks.
Overview of Azure Active Directory User

Accounts
Use this task to obtain an overview of the most important information about a user
account.
To obtain an overview of a user account

2. Select the user account in the result list.
3. Select Azure Active Directory user account overview in the task view.
Related Topics
l Azure Active Directory Subscriptions and Service Plans on page 128
Changing the Manage Level of an Azure

Active Directory User Account
The default manage level is applied if you create user accounts using automatic employee
assignment. You can change a user account manage level later.
To change the manage level for a user account

4. Select the manage level in the Manage level menu on the tab General.
Related Topics

Assigning Azure Active Directory Groups
Directly to Azure Active Directory User
Accounts
Groups can be assigned directly or indirectly to a user account. Indirect assignment is
carried out by allocating the employee and groups in hierarchical roles, like departments,
cost centers, locations or business roles. If the employee has a user account in Azure
Active Directory, the groups in the role are inherited by this user account.
To react quickly to special requests, you can assign groups directly to the user account.
To assign groups directly to user accounts

3. Select Assign groups in the task view.
4. Assign groups in Add assignments.
The view- OR -
Remove groups from Remove assignments.
Related Topics
l Assigning Azure Active Directory Groups to Azure Active Directory User

Accounts on page 105
Assigning Azure Active Directory

Administrator Roles directly to Azure Active
Administrator roles can be assigned directly or indirectly to a user account. Indirect
assignment is carried out by assigning the employee and administrator roles to hierarchical
roles, like departments, cost centers, locations or business roles. If the employee has a
user account in Azure Active Directory, the administrator roles of the departments, cost
centers, locations and business roles are inherited by this user account.
To react quickly to special requests, you can assign administrator roles directly to the
user account.

To assign administrator roles directly to user accounts

3. Select Assign administrator roles in the task view.
4. Assign administrator roles in Add assignments.
- OR -
Remove administrator roles in Remove assignments.
Related Topics
l Assigning Azure Active Directory Administrator Roles to Azure Active Directory User

Subscriptions directly to Azure Active
You can assign subscriptions directly or indirectly to a user account. In the case of indirect
assignment, employees and subscriptions are assigned to hierarchical roles, such as,
departments, cost centers, locations or business roles. If the employee has a user account
in Azure Active Directory, role subscriptions are inherited by this user account.
To react quickly to special requests, you can assign subscriptions directly to a user
account.
To assign subscriptions directly to user accounts

3. Select Assign subscriptions in the task view.
Related Topics
l Assigning Azure Active Directory Subscriptions to Azure Active Directory User


Assigning Disabled Azure Active Directory
Service Plans directly to Azure Active
You can assign disabled service plans directly or indirectly to a user account. In the case of
indirect assignment, employees and disabled service plans are assigned to hierarchical
roles, such as, departments, cost centers, locations or business roles. If the employee has
a user account in Azure Active Directory, disabled service plans belonging to roles are
inherited by this user account.
To react quickly to special requests, you can assign disabled service plans directly to a
user account.
To assign disabled service plans directly to a user account

3. Select Assign disabled service plans in the task view.
Related Topics
l Assigning Disabled Azure Active Directory Service Plans to Azure Active Directory
User Accounts on page 139
Assign Extended Properties to an Azure

Active Directory User Account
Extended properties are meta objects that cannot be mapped directly in the One Identity
Manager, for example, operating codes, cost codes or cost accounting areas.
To specify extended properties for a user account

3. Select Assign extended properties in the task view.
4. Assign extended properties in Add assignments.
- OR -
Remove assignments to extended properties in Remove assignments.

For more detailed information about using extended properties, see the One Identity
Automatic Assignment of Employees to

Table 32: Configuration Parameters for Automatic Employee Assignment
TargetSystem\AzureAD\PersonAutoFullsync This configuration parameter specifies the

mode for automatic employee assignment
for user accounts added to or updated in
the database through synchronization.
TargetSystem\AzureAD\PersonAutoDefault This configuration parameter specifies the

mode for automatic employee assignment
for user accounts added to the database
outside synchronization.
TargetSystem\AzureAD\PersonExcludeList List of all user accounts for which automatic

employee assignment should not take
place. Names given in a pipe (|) delimited
list that is handled as a regular search
pattern.
Example:
ADMINISTRATOR
TargetSystem\AzureAD\ This configuration parameters specifies

PersonAutoDisabledAccounts whether employees are automatically
assigned to disable user accounts. User
accounts do not obtain an account
definition.
When you add a user account, an existing employee can be assigned automatically or
added if necessary. In the process, the employee master data is created based for
existing user master data. This mechanism can follow on after a new user account has
been created manually or through synchronization. Define criteria for finding employees
to apply to automatic employee assignment. If a user account is linked to an employee
through the current mode, the user account is given, through an internal process, the
default manage level of the account definition entered in the user account's target system.
You can customize user account properties depending on how the behavior of the manage
level is defined.
If you run this procedure during working hours, automatic assignment of employees to
user accounts takes place from that moment onwards. If you disable the procedure again

later, the changes only affect user accounts added or updated after this point in time.
Existing employee assignment to user accounts remain intact.
NOTE: It is not recommended to assign employees using automatic employee assign-

ment in the case of administrative user accounts. Use the task Change master data
to assign employees to administrative user account for the respective user account.
Run the following tasks to assign employees automatically.
l If employees can be assigned by user accounts during synchronization, set the

parameter "TargetSystem\AzureAD\PersonAutoFullsync" in the Designer and select
the required mode.
l If employees can be assigned by user accounts during synchronization, set the
parameter "TargetSystem\AzureAD\PersonAutoDefault" in the Designer and
select the mode.
l Specify the user accounts in the configuration parameter
"TargetSystem\AzureAD\PersonExcludeList" which must not be assigned
automatically to employees.
Example:
Administrator
l Use the configuration parameter
"TargetSystem\AzureAD\PersonAutoDisabledAccounts" to specify whether
employees can be automatically assigned to disabled user accounts. User accounts
do not obtain an account definition.
l Assign an account definition to the tenant. Ensure the manage level to be used is
entered as default automation level.
l Define the search criteria for employees assigned to tenants.
NOTE:
The following applies for synchronization:
l Automatic employee assignment takes effect if user accounts are added or

updated.
The following applies outside synchronization:
l Automatic employee assignment takes effect if user accounts are added.

NOTE: Following synchronization, employees are automatically created for user
accounts in the default installation. If there are no account definitions for the tenant
at the time of synchronization, user accounts are linked to employees. However,
account definitions are not assigned. The user accounts are, therefore, in a "Linked"
state.
To select user accounts through account definitions
1. Create an account definition.

2. Assign an account definition to the tenant.
3. Assign the account definition and manage level to the user accounts in a
"linked" state.
a. Select the category Azure Active Directory | User accounts |
Linked but not configured | <client>.
b. Select the task Assign account definition to linked accounts.
For more detailed information about assigning employees automatically, see the One
Identity Manager Target System Base Module Administration Guide.
Related Topics
l Creating an Account Definition on page 36

l Assigning Account Definitions to a Target System on page 50
l Editing Search Criteria for Automatic Employee Assignment on page 96
Editing Search Criteria for Automatic

Employee Assignment
Criteria for employee assignment are defined in the tenant. In this case, you specify
which user account properties must match the employee’s properties such that the
employee can be assigned to the user account. You can limit search criteria further by
using format definitions. The search criteria are written in XML notation in the column
"Search criteria for automatic employee assignment" (AccountToPersonMatchingRule) of the
AADOrganization table.
Search criteria are evaluated when employees are automatically assigned to user
accounts. Furthermore, you can create a suggestion list for assignments of employees to
user accounts based on the search criteria and make the assignment directly.
NOTE: When the employees are assigned to user accounts on the basis of search
criteria, user accounts are given the default manage level of the account definition
entered in the user account's target system. You can customize user account
properties depending on how the behavior of the manage level is defined.
It is not recommended to make assignment to administrative user accounts based on
search criteria. Use the task Change master data to assign employees to
administrative user account for the respective user account.

NOTE: One Identity Manager supplies a default mapping for employee assignment.
Only carry out the following steps when you want to customize the default mapping.
To specify criteria for employee assignment

3. Select Define search criteria for employee assignment in the task view.
4. Specify which user account properties must match with which employee so that the
employee is linked to the user account.
Table 33: Default Search Criteria for User Accounts and Contacts
Apply to Column on Employee Column on User

Account
Azure Active Directory user Central user account Alias (MailNickName)

accounts (CentralAccount)
Direct Assignment of Employees to User Accounts Based on a

Suggestion List
You can create a suggestion list in the "Assignments" view for assignments of employees
to user accounts based on the search criteria. User accounts are grouped in different
views for this.
Table 34: Manual Assignment View
View Description
Suggested This view lists all user accounts to which One Identity Manager can assign
assignments an employee. All employees are shown who were found using the search
criteria and can be assigned.
Assigned This view lists all user accounts to which an employee is assigned.
user
accounts
Without This view lists all user accounts to which no employee is assigned and for
employee which no employee was found using the search criteria.
assignment
TIP: By double-clicking on an entry in the view, you can view the user account and
employee master data.

To apply search criteria to user accounts
l Click Reload.
All possible assignments based on the search criteria are found in the target system
for all user accounts. The three views are updated.
To assign employees directly over a suggestion list
1. Click Suggested assignments.

a. Click Select for all user accounts to be assigned to the suggested employee.
Multi-select is possible.
b. Click Assign selected.
c. Confirm the security prompt with Yes.
The selected user accounts are assigned to the employees found using the
search criteria.
– OR –
2. Click No employee assignment.
a. Click Select employee... for the user account to which you want to assign the
employee. Select an employee from the menu.
b. Click Select for all user accounts to which you want to assign the selected
employees. Multi-select is possible.
c. Click Assign selected.
d. Confirm the security prompt with Yes.
This assigns the selected user accounts to the employees shown in the
"Employee" column.
To remove assignments
1. Click Assigned user accounts.

a. Click Select for all user accounts whose employee assignment you want to
remove. Multi-select is possible.
b. Click Delete selected.
c. Confirm the security prompt with Yes.
The assigned employees are deleted from the selected user accounts.
For more detailed information about defining search criteria, see the One Identity Manager
Target System Base Module Administration Guide.
Related Topics

on page 94

Disabling Azure Active Directory User
Accounts
Table 35: Configuration Parameter for User Accounts
QER\Person\TemporaryDeactivation This configuration parameter specifies whether

user accounts for an employee are locked if the
employee is temporarily or permanently disabled.
The way you disable user accounts depends on how they are managed.
Scenario:
l The user account is linked to employees and is managed through account definitions.
User accounts managed through account definitions are disabled when the employee is
temporarily or permanently disabled. The behavior depends on the user account manage
level. User accounts with the manage level "Full managed" are disabled depending on the
account definition settings. For user accounts with another manage level, modify the
column template AADUser.AccountDisabled accordingly.
Scenario:
l The user accounts are linked to employees. No account definition is applied.
User accounts managed through user account definitions are disabled when the employee
is temporarily or permanently disabled. The behavior depends on the configuration
parameter "QER\Person\TemporaryDeactivation".
l If the configuration parameter is set, the employee’s user accounts are disabled if
the employee is permanently or temporarily disabled.
l If the configuration parameter is not set, the employee’s properties do not have any
effect on the associated user accounts.
To lock a user account when the configuration parameter is disabled

4. Set the option Account is disabled on the General tab.
Scenario:
l User accounts not linked to employees.

To lock a user account, which is not linked to an employee

4. Set the option Account is disabled on the General tab.
Related Topics

l Setting Up Manage Levels on page 38
l Deleting and Restoring Azure Active Directory User Accounts on page 100
l For more detailed information about deactivating and deleting employees and user
accounts, see the One Identity Manager Target System Base Module
Deleting and Restoring Azure Active

NOTE: As long as an account definition for an employee is valid, the employee retains
the user account that was created by it. If the account definition assignment is
removed, the user account created through this account definition, is deleted.
To delete a user account

3. Delete the user account.
To restore user account

3. Click Undo delete in the result list toolbar.
Configuring Deferred Deletion
By default, user accounts are finally deleted from the database after 30 days.The user
accounts are initially disabled. You can reenable the user accounts until deferred deletion is
run. After deferred deletion is run, the user account are deleted from the database and

cannot be restored anymore. You can configure an alternative delay on the table AADAccount
in the Designer.
Related Topics
l Disabling Azure Active Directory User Accounts on page 99

l For more detailed information about deactivating and deleting employees and user
accounts, see the One Identity Manager Target System Base Module

6
Azure Active Directory Groups
Azure Active Directory recognizes several groups types, in which you can gather users and
groups to, for example, regulate access to resources or email distribution.
Groups are loaded into One Identity Manager by synchronization. You can edit individual
master data of the group and you can create new security groups in One Identity Manager.
You cannot create more groups types in One Identity Manager.
To add users to groups, you assign the groups directly to users. This can be assignments of
groups to departments, cost centers, location, business roles or to the IT Shop.
The group types supported in One Identity Manager are listed below.
Table 36: Support Groups Types
Group Description
type
Security Resource permissions are distributed through security groups. User

group accounts and other groups are added to security groups, which makes
administration easier.
Security groups are loaded into One Identity Manager by synchronization.
You can edit security groups in One Identity Manager and also create new
ones.
Office 365 Office 365 groups are loaded into One Identity Manager by synchronization.
group You can edit Office 365 groups in One Identity Manager but you cannot
create new them in One Identity Manager.
Distribution Distribution groups are used to send emails to group members. Distribution
group groups are loaded into One Identity Manager by synchronization. You can
edit distribution groups in One Identity Manager but you cannot create them
in One Identity Manager.
Mail- Mail-enabled security groups are security groups that are used as
enabled distribution groups.
security
Mail-enabled security groups are loaded into One Identity Manager by
groups
synchronization. You edit mail-enabled security in One Identity Manager but
you cannot create new mail-enabled security groups in One Identity
Manager.

Editing Azure Active Directory Group
Master Data
Groups are loaded into One Identity Manager by synchronization. You can create new
security groups in One Identity Manager. You can merely edit the other groups types and
which of the data you can edit, depends on the group type.
To edit group master data
1. Select the category Azure Active Directory | Groups.

2. Select the group in the result list and run Change master data in the task view.
- OR -
3. Edit a group's master data.
l General Master Data for an Azure Active Directory Group on page 103
l Information about Local Active Directory Groups on page 105
General Master Data for an Azure Active

Directory Group
Table 37: General Master Data
Display The display name is used to display the group in the One Identity Manager
name tools user interface.
Tenant The group's tenant.
Alias Email alias for the group.
Email Group's email address

address
Proxy Other email addresses for the group. You can also add other mail connectors
addresses (for example, CCMail, MS) in addition to the standard address type (SMTP,
X400).

Use the following syntax to set up other proxy addresses:

Address type: new email address
Group type Specifies a group's type The value is "unified" for Office 365 group and is
empty for security and distribution groups.
Security Specifies whether the this group is a security group. Resource permissions
group are distributed through security groups. User accounts and other groups are
added to security groups, which makes administration easier.
Mail- Specifies whether the email is enabled for the group. If this option is set for
enabled a security group, it is a mail-enabled security group. Otherwise, it is a
distribution group.
IT Shop Specifies whether the group can be requested through the IT Shop. This
group can be requested by staff through the Web Portal and granted through
a defined approval process. The group can still be assigned directly to
hierarchical roles.
Only for Specifies whether the group can only be requested through the IT Shop. This
use in IT group can be requested by staff through the Web Portal and granted through
Shop a defined approval process. The group may not be assigned directly to
hierarchical roles.
Service Service item data for requesting the group through the IT Shop.
item
Risk index Value for evaluating the risk of assigning the group to user accounts. Enter a
value between 0 and 1. This property is only visible when the configuration
parameter QER\CalculateRiskIndex is set.
For more detailed information about risk assessment, see the One Identity
Manager Risk Assessment Administration Guide.
Category Categories for group inheritance. Groups can be selectively inherited by

user accounts. To do this, groups and user accounts are divided into categor-
ies. Use this menu to allocate one or more categories to the group.
Related Topics

l For more detailed information about preparing groups for requesting through the IT
Shop, see the One Identity Manager IT Shop Administration Guide.

Information about Local Active Directory
Groups
The Federation tab shows information about the local Active Directory user account,
which is linked to the Azure Active Directory user account.
Table 38: Local Active Directory Group Data

Last synchronization Time of the last Azure Active Directory group

SID of local group Security ID of the local Active Directory group.

Groups to Azure Active Directory User
Accounts
Groups can be assigned directly or indirectly to user accounts. In the case of indirect
assignment, employees and groups are assigned to hierarchical roles, such as ,
departments, cost centers, locations or business roles. The groups assigned to an
employee are calculated from the position in the hierarchy and the direction of inheritance.
If you add an employee to roles and that employee owns a user account, the user
account is added to the groups. Prerequisites for indirect assignment of employees to
user accounts:
l Assignment of employees and groups is permitted for role classes (department, cost
center, location or business role).
l The user accounts are marked with the option Groups can be inherited.
Furthermore, groups can be assigned to employees through IT Shop requests. Add

employees to a shop as customers so that groups can be assigned through IT Shop
requests. All groups are assigned to this shop can be requested by the customers.
Requested groups are assigned to the employees after approval is granted.
l Assigning Azure Active Directory Groups to Departments, Cost Centers and Locations
on page 106

l Assigning Azure Active Directory Groups to Business Roles on page 107
l Assigning Azure Active Directory User Accounts directly to an Azure Active Directory
Group on page 108
l Adding Azure Active Directory Groups to System Roles on page 109
l Adding Azure Active Directory Groups to the IT Shop on page 109
Assigning Azure Active Directory Groups to

Departments, Cost Centers and Locations
Assign groups to departments, cost centers or locations so that the group can be assigned
to user accounts through these organizations.
To assign a group to departments, cost centers or locations (non role-

based login)

2. Select the group in the result list.
- OR -
To assign groups to a department, cost center or location (role-based login)
1. Select the category Organizations | Departments.

- OR -
Select the category Organizations | Cost centers.
- OR -
Select the category Organizations | Locations.
2. Select the department, cost center or location in the result list.
3. Select Assign Azure Active Directory groups.
- OR -
Remove assignments to groups in Remove assignments.

Related Topics

Group on page 108
on page 9
Assigning Azure Active Directory Groups to

Business Roles
Assign the group to business roles so that the group is assigned to user accounts through
these business roles.
To assign a group to a business role (non role-based login)

- OR -
To assign groups to a business role (non role-based login)
1. Select the category Business roles | <Role class>.

2. Select the business role in the result list.
3. Select Assign Azure Active Directory groups.
- OR -

Related Topics
on page 106
Group on page 108
on page 9
Assigning Azure Active Directory User

Accounts directly to an Azure Active
Directory Group
Groups can be assigned directly or indirectly to user accounts. Indirect assignment is
carried out by allocating the employee and groups in company structures, like
in Azure Active Directory, the groups in the role are inherited by this user account.
To react quickly to special requests, you can assign groups directly to user accounts.
To assign a group directly to user accounts

3. Select Assign user accounts in the task view.
4. Assign user accounts in Add assignments.
The view- OR -
Remove user accounts from Remove assignments.
Related Topics
l Assigning Azure Active Directory Groups Directly to Azure Active Directory User
Accounts on page 91
on page 106

Adding Azure Active Directory Groups to
System Roles
Use this task to add a group to system roles. If you assign a system role to employees, all
the employees' user accounts inherit the group.
NOTE: Groups with the option Only use in IT Shop can only be assigned to system
roles that also have this option set. For more detailed information, see the .One
Identity Manager System Roles Administration Guide
To assign a group to system roles

- OR -
Remove system roles from Remove assignments.
Related Topics
on page 106
Group on page 108

the IT Shop
Once a group has been assigned to an IT Shop shelf, can be requested by the shop
customers. To ensure it can be requested, further prerequisites need to be guaranteed.
l The group must be labeled with the option IT Shop.

l The group must be assigned to a service item.

l The group must be labeled with the option Only use in IT Shop if the group can
only be assigned to employees through IT Shop requests. Direct assignment to
NOTE: IT Shop administrators can assign groups to IT Shop shelves in the case of
role-based login. Target system administrators are not authorized to add groups in
the IT Shop.
To add a group to the IT Shop
1. Select the category Azure Active Directory | Groups (non role-based login).
- OR -
Select the category Entitlements | Azure Active Directory groups (role-
based login).
4. Assign the group to the IT Shop shelves in Add assignments.
To remove a group from individual IT Shop shelves.
- OR -
based login).
4. Remove the group from the IT Shop shelves in Remove assignments.
To remove a group from all IT Shop shelves.
- OR -
based login).
5. Click OK.
This removes the group from all One Identity Manager Service shelves. All requests
and assignment requests with this group are canceled in the process.

Related Topics
on page 106
Group on page 108

Active Directory Groups
Overview of Azure Active Directory Groups

Use this task to obtain an overview of the most important information about a group.
To obtain an overview of a group

3. Select Azure Active Directory group overview in the task view.

Use this task to add a group to another group.
To assign groups directly to a group


3. Select Assign groups in the task view.
4. Assign child groups of the selected group in Add assignments.
- OR -
Effectiveness of Group Memberships

Table 39: Configuration Parameter for Conditional Inheritance
Configuration parameter Active Meaning
QER\Structures\Inherite\GroupExclusion Preprocessor relevant configuration parameter

for controlling effectiveness of group
memberships. If the parameter is set,
memberships can be reduced on the basis of
exclusion definitions. The database has to be
recompiled after changes have been made to
the parameter.
When groups are assigned to user accounts an employee may obtain two or more groups,
which are not permitted in this combination. To prevent this, you can declare mutually
exclusive groups. To do this, you specify which of the two groups should apply to the user
accounts if both are assigned.
It is possible to assign an excluded group directly, indirectly or by IT Shop request at any
time. One Identity Manager determines whether the assignment is effective.
NOTE:
l You cannot define a pair of mutually exclusive groups. That means, the defin-
ition "Group A excludes group B" AND "Group B excludes groups A" is not
permitted.
l You must declare each group to be excluded from a group separately. Exclusion
definitions cannot be inherited.
l One Identity Manager does not check whether membership of an excluded
group is permitted in another group.
The effect of the assignments is mapped in the tables AADUserInGroup and

AADBaseTreeHasGroup through the column XIsInEffect.
Example of the effect of group memberships
l Group A is defined with permissions for triggering requests in a tenant. A group B is

authorized to make payments. A group C is authorized to check invoices.

l Group A is assigned through the department "Marketing", group B through "Finance"
and group C through the business role "Control group".
Clara Harris has a user account in this tenant. She primarily belongs to the department
"marketing". The business role "Control group" and the department "Finance" are assigned
to her secondarily. Without an exclusion definition, the user account obtains all the
permissions of groups A, B and C.
By using suitable controls, you want to prevent an employee from being able to trigger a
request and to pay invoices. That means, groups A, B and C are mutually exclusive. An
employee that checks invoices may not be able to make invoice payments as well. That
means, groups B and C are mutually exclusive.
Table 40: Specifying excluded groups (table AADGroupExclusion)
Effective Group Excluded Group
Group A
Group B Group A
Group C Group B
Table 41: Effective Assignments
Employee Member in Role Effective Group
Ben King Marketing Group A
Jan Bloggs Marketing, finance Group B
Clara Harris Marketing, finance, control group Group C
Jenny Basset Marketing, control group Group A, Group C
Only the group C assignment is in effect for Clara Harris. It is published in the target
system. If Clara Harris leaves the business role "control group" at a later date, group B
also takes effect.
The groups A and C are in effect for Jenny Basset because the groups are not defined as
mutually exclusive. That means that the employee is authorized to trigger request and to
check invoices. If this should not be allowed, define further exclusion for group C.
Table 42: Excluded groups and effective assignments
Employee Member in Assigned Excluded Effective

Role Group Group Group
Jenny Marketing Group A

Group C
Basset Control group Group C Group B
Group A

Prerequisites
l The configuration parameter "QER\Inherite\GroupExclusion" is enabled.

l Mutually exclusive groups belong to the same tenant.
To exclude a group

2. Select a group in the result list.
3. Select Exclude groups in the task view.
4. Assign the groups that are mutually exclusive to the selected group in Add
assignments.
- OR -
Remove the conflicting groups that are no longer mutually exclusive in Remove
assignments.
Azure Active Directory Group Inheritance

Based on Categories
In One Identity Manager, groups, administrative roles, subscriptions and disabled service
plans can be selectively inherited by user accounts. For this, groups(administrative roles,
subscriptions and disabled service plans) and user accounts are divided into categories.
The categories can be freely selected and are specified by a template. Each category is
given a specific position within the template. The mapping rule contains different tables.
Use the user account table to specify categories for target system dependent user
accounts. Enter your categories for the structural profiles, administrative roles,
subscriptions and disabled service plans in the other tables. Each table contains the
category items "Position1" to "Position31".
Every user account can be assigned to one or more categories. Each group can also be
assigned to one or more categories. The group is inherited by the user account when at
least one user account category item matches an assigned group. The group is also
inherited by the user account if the group or the user account is not put into categories.
NOTE: Inheritance through categories is only taken into account when groups are
assigned indirectly through hierarchical roles. Categories are not taken into account
when groups are directly assigned to user accounts.

Table 43: Category Examples
Category Categories for User Categories for Groups

Position Accounts
1 Default user Default permissions
2 System user System user permissions
3 System administrator System administrator permis-

sions
Figure 2: Example of inheriting through categories.

To use inheritance through categories
l Define the categories in the tenant.

l Assign categories to user accounts through their master data.
l Assign categories to groups through their master data.
Related Topics

l For more information, see Editing Azure Active Directory Subscription Master Data
on page 128.
Assigning Owners to Azure Active

Directory Groups
A group owner can edit group properties.
To assign owners to a group

3. Select Assign owner in the task view.
4. Select the table containing the owner from the menu at the top of the form. You
have the following options:
l Azure Active Directory user accounts
5. Assign owners in Add assignments.
- OR -
Remove owners in Remove assignments.
Assigning Extended Properties to an Azure

Active Directory Group

To specify extended properties for a group

The view- OR -
Remove extended properties from Remove assignments.
Deleting Azure Active Directory Groups

To delete a group

3. Delete the group using .
The group is deleted completely from the One Identity Manager database and from Azure
Active Directory.

7

Administrator Roles
By using administrator roles, you can assign administrative permissions to users. Azure
Active Directory recognizes several administrator roles, which fulfill different functions.
For more detailed information about administrator roles, see the Azure Active Directory
documentation from Microsoft.
Administrator roles are loaded into One Identity Manager by synchronization. You can edit
individual master data of administrator roles but cannot create new administrator roles in
To add users to administrator roles, assign the administrator roles directly to the user. This
may be administrator role assignments to departments, cost centers, location, business
roles or to the IT Shop.
Editing Azure Active Directory

Administrator Role Master Data
Administrator roles are loaded into One Identity Manager by synchronization. You can edit
individual master data of administrator roles but cannot create new administrator roles in
To edit the master data of an administrator role
1. Select the category Azure Active Directory | Administrator roles.

2. Select the administrator role in the result list and run the task Change
master data.
3. Edit the administrator role's master data.

Azure Active Directory Administrator Roles
Table 44: Administrator Role Master Data
Display The display name is used to display the administrator role in the One
name Identity Manager tool's user interface.
Tenant The administrator role's tenant.
Template ID of the administrator role template on which this administrator role was
ID. based.
IT Shop Specifies whether the administrator role can be requested through the IT
Shop. The administrator role can be ordered by its employees over the Web
Portal and distributed using a defined approval process. The administrator
role can still be assigned directly to user accounts and hierarchical roles.
Only for Specifies whether the administration role can only be requested through the
use in IT IT Shop. The administrator role can be ordered by its employees over the
Shop Web Portal and distributed using a defined approval process. You cannot
assign an administrator role directly to a hierarchical role.
Service Specifies a service item for using to request the administrator role through
item the IT Shop.
Risk index Value for assessing the rich of assigning administrator roles to user
accounts. Enter a value between 0 and 1. This property is only visible if the
configuration parameter "QER\CalculateRiskIndex" is set.
Category Categories for inheriting administrator roles. Administrator roles can be

selectively inherited by user accounts. To do this, administrator roles and
user accounts are divided into categories. Use the menu to allocate one or
more categories to the administrator role.
Related Topics
l Azure Active Directory Administrator Role Inheritance Based on Categories on

page 126
l For more detailed information about preparing administrator roles for requesting
through the IT Shop, see the One Identity Manager IT Shop Administration Guide.

Administrator Roles to Azure Active
Administrator roles can be assigned directly or indirectly to user accounts. In the case of
indirect assignment, employees and administrator roles are assigned to hierarchical roles,
such as, departments, cost centers, locations or business roles. The administrator roles
assigned to an employee are calculated from the position in the hierarchy and the direction
of inheritance.
If you add an employee to roles and that employee owns a user account, the user account
is added to the administrator roles. Prerequisites for indirect assignment of employees to
user accounts:
l Assignment of employees and administrator roles is permitted for role classes

Furthermore, administrator roles can be assigned to employees through IT Shop requests.

Add employees to a shop as customers so that administrator roles can be assigned through
IT Shop requests. All administrator roles assigned as products to this shop, can be
requested by the customers. Requested administrator roles are assigned to the employees
after approval is granted.
l Assigning Azure Active Directory Administration Roles to Departments, Cost Centers

and Locations on page 120
l Assigning Azure Active Directory Administrator Roles to Business Roles on page 122
l Assigning Azure Active Directory User Accounts directly to Azure Active Directory
Administrator Roles on page 123
l Adding Azure Active Directory Administrator Roles to System Roles on page 123
l Adding Azure Active Directory Administrator Roles in the IT Shop on page 124

Administration Roles to Departments, Cost
Centers and Locations
By assigning administrator roles to departments, cost centers or locations, you enable the
group to be assigned to user accounts through these organizations.

To assign an administrator role to departments, cost centers or locations (non
role-based login)

2. Select the administrator role in the result list.
- OR -
To assign administrator roles to departments, cost centers or locations (role-

based login)

- OR -
- OR -
3. Select Assign Azure Active Directory administrator roles in the task view.
- OR -
Related Topics
on page 9

Administrator Roles to Business Roles
By assigning administrator roles to business roles, the administrator role can be assigned
to user accounts through these business roles.
To assign an administrator role to business roles (non role-based login)

- OR -
To assign administrator roles to a business role (non role-based login)

3. Select Assign Azure Active Directory administrator roles in the task view.
- OR -
Related Topics

on page 9

Assigning Azure Active Directory User
Accounts directly to Azure Active Directory
Administrator Roles
Administrator roles can be assigned directly or indirectly to user accounts. Indirect
assignment is carried out by allocating the employee and administrator roles in company
structures, like departments, cost centers, locations or business roles. If the employee has
a user account in Azure Active Directory, the administrator roles in the role are inherited
by this user account.
To react quickly to special requests, you can assign administrator roles directly to
user accounts.
To assign a user account directly to an administrator role.

The view- OR -
Related Topics
l Assigning Azure Active Directory Administrator Roles directly to Azure Active

Directory User Accounts on page 91
Adding Azure Active Directory Administrator

Roles to System Roles

Use this task to add an administrator role to system roles. When you assign a system role
to an employee, the administrator roles are inherited by all user accounts that these
employees have.
NOTE: Administrator roles with the option Only use in IT Shop set, can only be
assigned to system roles that also have this option set. For more information, see the
One Identity Manager System Roles Administration Guide.
To assign an administrator role to system roles

- OR -
Related Topics

Adding Azure Active Directory Administrator

Roles in the IT Shop
Once an administration role has been assigned to an IT Shop shelf, it can be requested by
the shop customers. To ensure it can be requested, further prerequisites need to be
guaranteed.
l The administrator role must be labeled with the option IT Shop.

l The administrator role must be assigned to a service item.
l The administrator role must be also labeled with the option Only use in IT Shop if
the administrator role can only be assigned to employees using IT Shop requests.
Direct assignment to hierarchical roles may not be possible.
NOTE: IT Shop administrators can assign administrator roles to IT Shop shelves in

the case of role-based login. Target system administrators are not authorized to add
administrator roles in the IT Shop.

To add an administrator role in the IT Shop
1. Select the category Azure Active Directory | Administrator roles (non role-
based login).
- OR -
Select the category Entitlements | Azure Active Directory administrator
roles (role-based login).
4. Assign an administration role to the IT Shop shelf in Add assignments.
To remove a role from individual IT Shop shelves
based login).
- OR -
4. Remove the administrator role from IT Shop shelves in Remove assignments.
To remove an administrator role from individual IT Shop shelves
based login).
- OR -
5. Click OK.
The administrator role is removed from all shelves by the One Identity Manager
Service. All requests and assignment requests with this administrator role are

Related Topics
l Editing Azure Active Directory Administrator Role Master Data on page 118

Active Directory Administrator Roles

Overview
Use this task to obtain an overview of the most important information about an
administrator role.
To obtain an overview of a administration role

3. Select the task Azure Active Directory administrator role overview.
Azure Active Directory Administrator Role

Inheritance Based on Categories
You can also apply the behavior described under Azure Active Directory Group Inheritance
Based on Categories on page 114 for administration roles.


l Assign categories to administrator roles through their master data.
Related Topics

l Editing Azure Active Directory Administrator Role Master Data on page 118
Assigning Extended Properties to an Azure

Active Directory Administrator Role
To specify extended properties for an administrator role

The view- OR -

8
Azure Active Directory Subscriptions

and Service Plans
Users require a subscription to access a service plan in Azure Active Directory. Users
obtain all the service plans that are linked to a subscription. By assigning subscriptions
directly to users, you make the subscriptions available to them. You can assign
subscriptions to departments, cost centers, locations, business roles or the IT Shop.
So called "disabled service plans" are mapped in the One Identity Manager to prevent users
from using single service plans. Disabled service plans are created automatically after
synchronizing the subscription in the One Identity Manager. Disabled service plans are
requested through the IT Shop or assigned to users through departments, cost centers,
locations, business roles or system roles.
The actual service plans available to the user in Azure Active Directory result from the
user's subscription and the service plans associated with it and the assignment of disabled
service plans.
Azure Active Directory Subscriptions

Information about subscriptions and service plans within a tenant is loaded into One
Identity Manager during synchronization. You cannot create new subscriptions and service
plans in the One Identity Manager. You can edit individual properties of the subscription for
requesting in the IT Shop and assigning to user accounts in the One Identity Manager.
Editing Azure Active Directory Subscription

Master Data
To edit subscription master data
1. Select the category Azure Active Directory | Subscriptions.

2. Select a subscription in the result list.

Azure Active Directory Subscriptions and Service Plans
4. Edit the subscription's master data.
Table 45: Subscription Master Data
SKU display The SKU display name for the subscription, for example "AAD_Premium" or
name "RMSBASIC".
Tenant Tenant entered for this subscription.
Subscription The subscription status, for example, "Enabled".

status
Purchased The number of licenses purchased.

licenses
Assigned Number of actively used licenses.

licenses
Suspended Number of suspended licenses.

licenses
Warning Number of licenses with in a warning status.
units
IT Shop Specifies whether the subscription can be requested through the IT Shop.
This subscription can be requested by staff through the Web Portal and
granted through a defined approval procedure. The subscription can still be
assigned directly to user accounts and hierarchical roles.
Only for use Specifies whether the subscription can only be requested through the IT
in IT Shop Shop. This subscription can be requested by staff through the Web Portal
and granted through a defined approval procedure. The subscription may
not be assigned directly to hierarchical roles.
Service Service item data for requesting the subscription through the IT Shop.
item
Risk index Value for evaluating the risk of assigning the subscription to user accounts.
Enter a value between 0 and 1. This property is only visible if the
configuration parameter "QER\CalculateRiskIndex" is set.
Category Category for subscription inheritance. Subscriptions can be selectively

inherited by user accounts. To do this, subscriptions and user accounts are
divided into categories. Use this menu to allocate one or more categories
to the subscription.

Related Topics

l For more detailed information about preparing subscriptions for requesting through
the IT Shop, see the One Identity Manager IT Shop Administration Guide.

Subscriptions to Azure Active Directory
User Accounts
departments, cost centers, locations or business roles. Subscriptions assigned to an
employee are calculated from the position in the hierarchy and the direction of inheritance.
If the employee has a user account in Azure Active Directory, role subscriptions are
Prerequisites for indirect assignment of employees to user accounts:
l Assignment of employees and subscriptions is permitted for role classes

Furthermore, subscriptions can be assIT Shopigned to employees through requests. Add

employees to a shop as customers so that subscriptions can be assigned through IT Shop
requests. All subscriptions assigned to this shop can be requested by the customers.
Requested subscriptions are assigned to the employees after approval is granted.
TIP: You can combine the account definition for creating the user account and the
subscription that will be used into one system role. in this way, the employee
automatically obtains a user account and a subscription.
An employee can obtain this system role directly, through departments, cost centers,
location or business roles or by IT Shop request.
l Assigning Azure Active Directory Subscriptions to Departments, Cost Centers and

Locations on page 131
l Assigning Azure Active Directory Subscriptions to Business Roles on page 132
Subscription on page 133
l Adding Azure Active Directory Subscriptions to System Roles on page 133
l Adding Azure Active Directory Subscriptions to the IT Shop on page 134

Assigning Azure Active Directory Subscriptions to
Departments, Cost Centers and Locations
Assign subscriptions to departments, cost centers and locations in order to assign user
accounts to them through these organizations.
To assign a subscription to departments, cost centers or locations (non role-

based login)

- OR -
To assign subscriptions to a department, cost center or location (role-

based login)

- OR -
- OR -
3. Select Assign Azure Active Directory subscriptions in the task view.
4. Assign the subscriptions in Add assignments.
- OR -
Remove the subscriptions in Remove assignments.
Related Topics


on page 9
Assigning Azure Active Directory Subscriptions to

Business Roles
Assign subscriptions to business roles to assign them to user accounts over these
business roles.
To assign a subscription to business roles (non role-based login)

- OR -
To assign subscriptions to a business role (role-based login)

3. Select Assign Azure Active Directory subscriptions in the task view.
4. Assign the subscriptions in Add assignments.
- OR -
Remove the subscriptions in Remove assignments.
Related Topics


on page 9
Assigning Azure Active Directory User Accounts

directly to an Azure Active Directory Subscription
in Azure Active Directory, role subscriptions are inherited by this user account.
To react quickly to special requests, you can assign subscriptions directly to a user
account.
To assign a subscription directly to user accounts

The view- OR -
Related Topics
l Assigning Azure Active Directory Subscriptions directly to Azure Active Directory

Adding Azure Active Directory Subscriptions to

System Roles
Use this task to add a subscription to system roles. When you assign a system role to an
employee, the subscription is inherited by all user accounts owned by these employees.

NOTE: Subscriptions with the option Only use in IT Shop set, can only be assigned
to system roles that also have this option set. For more information, see the One
Identity Manager System Roles Administration Guide.
To assign a subscription to a system role

- OR -
Related Topics

Adding Azure Active Directory Subscriptions to

the IT Shop
Once a subscription is assigned to an IT Shop shelf, it can be requested by customers. To
ensure it can be requested, further prerequisites need to be guaranteed.
l The subscription must be labeled with the IT Shop option.

l The subscription must be assigned to a service item.
l If the subscription is only supposed to be available to employees through IT Shop
requests, the subscription must also be labeled with the option Only for use in IT
Shop. Direct assignment to hierarchical roles may not be possible.
NOTE: IT Shop administrators can assign subscriptions to IT Shop shelves in the case
of role-based login. Target system administrators are not authorized to add subscrip-
tions in the IT Shop.
To add a subscription in the IT Shop
1. Select the category Azure Active Directory | Subscriptions (non role-based

login).

- OR -
Select the category Entitlements | Azure Active Directory subscriptions (role-
based subscription).
4. Assign the subscription to the IT Shop in Add assignments.
To remove a subscription from individual IT Shop shelves
1. Select the category Azure Active Directory | Subscriptions (non role-

based login).
- OR -
4. Remove the subscription from the IT Shop shelves in Remove assignments.
To remove a subscription from all IT Shop shelves
1. Select the category Azure Active Directory | Subscriptions (non role-

based login).
- OR -
5. Click OK.
The subscription is removed from all shelves by the One Identity Manager Service.
All request and assignment requests for this subscription are canceled in the process.
Related Topics
l Editing Azure Active Directory Subscription Master Data on page 128


Additional Tasks for Managing Azure Active

Directory Subscriptions
Overview of Azure Active Directory Subscriptions

To obtain an overview of a subscription

3. Select Azure Active Directory subscription overview in the task view.
To obtain an overview of a service plan
1. Select the category Azure Active Directory | Service plans.

2. Select the service plan in the result list.
3. Select Azure Active Directory service plan overview in the task view.
To obtain an overview of a disabled service plan
1. Select the category Azure Active Directory | Disabled service plans.

3. Select Disabled Azure Active Directory service plan overview.
Effectiveness of Subscription Assignments

You can also apply the behavior described under Effectiveness of Group Memberships on
page 112 to subscriptions. The effect of the assignments is mapped in the tables
AADUserHasSubSku and AADBaseTreeHasSubSku through the column XIsInEffect.
Prerequisites
l The configuration parameter "QER\Structures\Inherite\GroupExclusion" is set.

l Mutually exclusive subscriptions belong to the same tenant.

To exclude subscriptions

3. Select Exclude subscriptions.
4. Assign subscriptions that are mutually exclusive to the selected one, in Add
assignments.
- OR -
Remove subscriptions that are no longer mutually exclusive, in Remove
assignments.
Inheriting Azure Active Directory Subscriptions

based on Categories
Based on Categories on page 114 to subscriptions.

l Assign categories to subscriptions through their master data.
Related Topics

l Editing Azure Active Directory Subscription Master Data on page 128
Assigning Additional Properties to an Azure

Active Directory Subscription
To specify extended properties for a subscription


The view- OR -
Disabled Azure Active Directory

Service Plan
So called "disabled service plans" are mapped in the One Identity Manager to prevent users
from using single service plans. Disabled service plans are created automatically after
synchronizing the subscription in the One Identity Manager. Disabled service plans are
requested through the IT Shop or assigned to users through departments, cost centers,
locations, business roles or system roles.
Editing Master Data of Disabled Azure Active

Directory Service Plans
To edit disabled service plan master data

4. Edit the service plan’s master data.
Table 46: Disabled Service Plan Master Data
Subscription Name of the subscription.
Service plan Name of the service plan.

IT Shop Specifies whether the service plan can be requested through the IT Shop.
The disabled service plan can be requested by your staff though the Web
Portal and granted through a defined approval process. The disabled
service plan can still be assigned directly to hierarchical roles.

Only for use Specifies whether the disabled service plan can only be requested through
in IT Shop the IT Shop. The disabled service plan can be requested by your staff
though the Web Portal and granted through a defined approval process. The
disabled service plan may not be assigned directly to hierarchical roles.
Service Service item data for requesting the disabled service plan through the IT
item Shop.
Category Categories for disabled service plan inheritance. User accounts can select-
ively inherit disabled service plans. To do this, disabled service plans and
user accounts are divided into categories. Use this menu to allocate one or
more categories to the disabled service plan.
Related Topics

l For more detailed information about preparing disabled service plans for requesting
through the IT Shop, see the One Identity Manager IT Shop Administration Guide.
Assigning Disabled Azure Active Directory

Service Plans to Azure Active Directory
User Accounts
roles, such as, departments, cost centers, locations or business roles. The disabled service
plans assigned to an employee are calculated from the position in the hierarchy and the
direction of inheritance.
If the employee has a user account in Azure Active Directory, disabled service plans
belonging to roles are inherited by this user account.
Prerequisites for indirect assignment of employees to user accounts:
l Assignment of employees and disabled service plans is permitted for role classes
Furthermore, disabled service plans can be assigned to employees through IT Shop

requests. Add employees to a shop as customers so that disabled service plans can be
assigned through IT Shop requests. All disabled service plans are assigned to this shop can
be requested by the customers. Requested disabled service plans are assigned to the
employees after approval is granted.

l Assigning Disabled Azure Active Directory Service Plans to Departments, Cost

Centers and Locations on page 140
l Assigning Disabled Azure Active Directory Service Plans to Business Roles on
page 141
Service Plans on page 142
l Adding Disabled Azure Active Directory Service Plans to System Roles on page 143
l Adding Disabled Azure Active Directory Service Plans to the IT Shop on page 144
Assigning Disabled Azure Active Directory Service

Plans to Departments, Cost Centers and Locations
Assign disabled service plans to departments, cost centers and locations in order to assign
user accounts to them through these organizations.
To assign a disabled service plan to departments, cost centers or locations (non

role-based login)

- OR -
To assign disabled service plans to a department, cost center or location (role-

based login)

- OR -
- OR -
3. Select Assign disabled Azure Active Directory service plan in the task view.

4. Assign service plans in Add assignments.
- OR -
Remove service plans in Remove assignments.
Related Topics

page 141
on page 9
Assigning Disabled Azure Active Directory Service

Plans to Business Roles
Assign disabled service plans to business roles to assign them to user accounts over these
business roles.
To assign a disabled service plan to a business role (non role-based login)

4.
- OR -
To assign disabled service plans to a business role (non role-based login)

3. Select Assign disabled Azure Active Directory service plan in the task view.

4. Assign service plans in Add assignments.
- OR -
Remove service plans in Remove assignments.
Related Topics

on page 9
Assigning Azure Active Directory User Accounts

directly to Azure Active Directory Service Plans
roles, such as, departments, cost centers, locations or business roles. If the employee has
a user account in Azure Active Directory, disabled service plans belonging to roles are
To react quickly to special requests, you can assign disabled service plans directly to a
user account.
To assign a disabled service plan directly to a user account

The view- OR -
Related Topics
l Assigning Azure Active Directory Subscriptions directly to Azure Active Directory


page 141
Adding Disabled Azure Active Directory Service

Plans to System Roles
Use this task to add disabled service plans to system roles. If you assign a system role
to an employee, the disabled service plan is inherited by all user accounts owned by
these employees.
NOTE: Disabled service plans with the option Only use in IT Shop set, can only be
assigned to system roles that also have this option set. For more information, see the
One Identity Manager System Roles Administration Guide.
To assign a disabled service plan to system roles

- OR -
Related Topics

page 141

Adding Disabled Azure Active Directory Service
Plans to the IT Shop
A disabled service plan can be requested by shop customers when it is assigned to an IT
Shop shelf. To ensure it can be requested, further prerequisites need to be guaranteed.
l The disabled service plan must be labeled with the option IT Shop.
l The disabled service plan must be assigned to a service item.
l If the disabled service plan is only assigned to employees using IT Shop requests,
you must also set the option Only for use in IT Shop. Direct assignment to
NOTE: IT Shop administrators can assign disabled service plans to IT Shop shelves in
the case of role-based login. Target system administrators are not authorized to add
disabled service plans in the IT Shop.
To add a disabled service plan in the IT Shop
1. Select the category Azure Active Directory | Disabled service plan (non role-
based login).
- OR -
Select the category Entitlements | Disabled Azure Active Directory service
plans (role-based subscription).
4. Assign the disabled service plan to the IT Shop in Add assignments.
To remove a disabled service plan from individual IT Shop shelves
based login).
- OR -
4. Remove the disabled service plan from the IT Shop shelves in Remove
assignments.

To remove a disabled service plan from all IT Shop shelves
based login).
- OR -
5. Click OK.
The disabled service plan is removed from all shelves by the One Identity Manager
Service. All requests and assignment requests with this disabled service plan are
Related Topics

page 141
Additional Tasks for Managing Disabled

Azure Active Directory Service Plans

Overview of Disabled Azure Active Directory
Service Plans
To obtain an overview of a disabled service plan

3. Select Disabled Azure Active Directory service plan overview.
Effectiveness of Assignments of Disabled

Service Plans
You can also apply the behavior described under Effectiveness of Group Memberships on
page 112 for disabled service plans. The effect of the assignments is mapped in the tables
AADUserHasDeneiedService and AADBaseTreeHasDeniedService through the column
XIsInEffect.
Prerequisites
l The configuration parameter "QER\Structures\Inherite\GroupExclusion" is set.

l Mutually exclusive groups belong to the same tenant.
To exclude subscriptions

2. Select the disabled service plan from the result list.
3. Select Exclude disabled service plans in the task view.
4. Assign disabled service plans that are mutually exclusive to the selected one, in Add
assignments.
- OR -
Remove disabled service plans that are no longer mutually exclusive, in Remove
assignments.
Inheritance of Disabled Azure Active Directory

Service Plans Based on Categories
Based on Categories on page 114 for disabled service plans.


l Assign categories to disabled service plans through their master data.
Related Topics

l Editing Master Data of Disabled Azure Active Directory Service Plans on page 138
Assigning Extended Properties to a disabled

Azure Active Directory Service Plan
To specify extended properties for a disabled service plan

The view- OR -

9
Reports about Azure Active

Directory Objects
One Identity Manager makes various reports available containing information about the
selected base object and its relations to other One Identity Manager database objects. The
following reports are available for Azure Active Directory.
NOTE: Other sections may be available depending on the which modules are
installed.
Table 47: Reports for the Target System
Report Description
Overview of all This report finds all roles containing employees with at least
Assignments one user account in the selected tenant.
Show orphaned user This report shows all user accounts in the tenant, which are
accounts not assigned to an employee. The report contains group
memberships and risk assessment.
Show employees with This report shows all employees with more than one user
multiple user accounts account in the tenant. The report is a risk assessment.
Show unused user This report shows all the tenant's user accounts that have
accounts not been used in the last few months. The report contains
group memberships and risk assessment.
Show entitlement drifts This report shows all the groups in the tenant, which are the
result of manual operations in the target system rather than
provisioned through One Identity Manager.
Show user accounts with This report contains all user accounts in the tenant with an
an above average number above average number of group memberships.
of system entitlements
Azure Active Directory This report contains a summary of user account and group
user account and group distribution in all tenants. You can find this report in the
administration category My One Identity Manager.

Reports about Azure Active Directory Objects
Report Description
Data quality summary for This report contains different evaluations of user account
Azure Active Directory data quality in all tenants. You can find this report in the
user accounts category My One Identity Manager.
Overview of all Assignments

The report "Overview of all Assignments" is displayed for certain objects, for example,
permissions, compliance rules or roles. The report finds all the roles, for example,
departments, cost centers, locations, business roles and IT Shop structures in which there
are employee who own the selected base object. In this case, direct as well as indirect
base object assignments are included.
Example
l If the report is created for a resource, all roles are determined in which there are
employees with this resource.
l If the report is created for a group, all roles are determined in which there are
employees with this group.
l If the report is created for a compliance rule, all roles are determined in which there
are employees with this compliance rule.
l If the report is created for a department, all roles are determined in which
employees of the selected department are also members.
l If the report is created for a business role, all roles are determined in which
employees of the selected business role are also members.
To display detailed information about assignments
l To display the report, select the base object from the navigation or the result list and
select the report Overview of all assignments.
l Use the Used by button in the report's toolbar to select the role class
(department, location, business role or IT Shop structure) for which you determine if
roles exist in which there are employees with the selected base object.
All the roles of the selected role class are shown. The color coding of elements
identifies the role in which there are employees with the selected base object. The
meaning of the report control elements is explained in a separate legend. In the
report's toolbar, click to open the legend.
l Double-click a control to show all child roles belonging to the selected role.
l By clicking the button in a role's control, you display all employees in the role with
the base object.

l Use the small arrow next to to start a wizard that allows you to bookmark this list
of employee for tracking. This creates a new business role to which the employees
are assigned.
Figure 3: Toolbar for Report "Overview of all assignments"
Table 48: Meaning of Icons in the Report Toolbar
Icon Meaning
Show the legend with the meaning of the report control elements
Saves the current report view as a graphic.
Selects the role class used to generate the report.

Displays all roles or only the affected roles.

A
Appendix: Configuration Parameters

for Managing Azure Active Directory
The following configuration parameters are additionally available in One Identity Manager
after the module has been installed.
Table 49: Configuration parameter
Configuration parameter Description
TargetSystem\AzureAD Preprocessor relevant configuration parameter

for controlling the database model components
for the administration of the target system
Azure Active Directory. If the parameter is set,
the target system components are available.
Changes to the parameter require recompiling
the database.
TargetSystem\AzureAD\Accounts This configuration parameter permits

configuration of user account data.
TargetSystem\AzureAD\Accounts\ This configuration parameter specifies whether

InitialRandomPassword a random generated password is issued when a
new user account is added. The password must
contain at least those character sets that are
defined in the password policy.
TargetSystem\AzureAD\Accounts\ This configuration parameter specifies to which

InitialRandomPassword\SendTo employee the email with the random generated
password should be sent (manager cost
center/department/location/role, employee’s
manager or XUserInserted). If no recipient can
be found, the password is sent to the address
stored in the configuration parameter
"TargetSystem\AzureAD\DefaultAddress".
TargetSystem\AzureAD\Accounts\ This configuration parameter contains the name

InitialRandomPassword\SendTo\ of the mail template sent to inform users about
MailTemplateAccountName their initial login data (name of the user

151
Appendix: Configuration Parameters for Managing Azure Active
Directory
account). Use the mail template "Employee -

new account created".
TargetSystem\AzureAD\Accounts\ This configuration parameter contains the name

InitialRandomPassword\SendTo\ of the mail template sent to inform users about
MailTemplatePassword their initial login data (initial password). Use
the mail template "Employee - initial password
for new user account".
TargetSystem\AzureAD\Accounts\ This configuration parameter contains the mail

MailTemplateDefaultValues template used to send notifications if default IT
operating data mapping values are used for
automatically creating a user account. Use the
mail template "Employee - new user account
with default properties created".
TargetSystem\AzureAD\Accounts\ This configuration parameter allows config-

PrivilegedAccount uration of settings for privileged Azure Active
Directory user accounts.
TargetSystem\AzureAD\Accounts\ This configuration parameter contains the
PrivilegedAccount\ postfix for formatting login names for
AccountName_Postfix privileged user accounts.
TargetSystem\AzureAD\Accounts\ This configuration parameter contains the

PrivilegedAccount\ prefix for formatting login names for privileged
AccountName_Prefix user accounts.
TargetSystem\AzureAD\DefaultAddress The configuration parameter contains the

recipient's default email address for sending
notifications about actions in the target system.
TargetSystem\AzureAD\ This configuration parameter contains the

MaxFullsyncDuration maximum runtime for synchronization. No
recalculation of group memberships by the
DBQueue Processor can take place during this
time. If the maximum runtime is exceeded,
group membership are recalculated.
TargetSystem\AzureAD\ This configuration parameter specifies the

PersonAutoDefault mode for automatic employee assignment for
user accounts added to the database outside
synchronization.
TargetSystem\AzureAD\ This configuration parameters specifies

PersonAutoDisabledAccounts whether employees are automatically assigned
to disable user accounts. User accounts do not
obtain an account definition.
TargetSystem\AzureAD\ This configuration parameter specifies the

152
Directory
PersonAutoFullSync mode for automatic employee assignment for

user accounts added to or updated in the
database through synchronization.
TargetSystem\AzureAD\ List of all user accounts for which automatic

PersonExcludeList employee assignment should not take place.
Names given in a pipe (|) delimited list that is
handled as a regular search pattern.
Example:
ADMINISTRATOR

153
Directory
B
Appendix: Default Project Template

for Azure Active Directory
A default project template ensures that all required information is added in the One
Identity Manager. This includes mappings, workflows and the synchronization base object.
If you do not use a default project template you must declare the synchronization base
object in One Identity Manager yourself.
Use a default project template for initially setting up the synchronization project. For
custom implementations, you can extend the synchronization project with the
.Synchronization Editor
The template uses mappings for the following schema types.
Table 50: Mapping Azure Active Directory schema types to tables in the One
Identity Manager schema.
Schema type in Azure Active Table in the One Identity Manager

Directory schema
DirectoryRole AADDirectoryRole
Group AADGroup
LicenseAssignments AADUserHasSubSku
Organization AADOrganization
ServicePlans AADServicePlan
SubscribedSku AADSubSku
User AADUser
Verified Domain AADVerifiedDomain

Appendix: Default Project Template for Azure Active Directory
About us
About us
Contacting us
For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx
or call +1-800-306-9329.
Technical support resources

Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l Submit and manage a Service Request

l View Knowledge Base articles
l Sign up for product notifications
l Download software and technical documentation
l View how-to-videos at www.YouTube.com/OneIdentity
l Engage in community discussions
l Chat with support engineers online
l View services to assist you with your product

About us
Index
I ndex
A edit 118
account definition 35 risk index 118
add to IT Shop 49 service item 118
assign automatically 47 template 118
assign to all employees 47 tenant 118
assign to Azure Active Directory Azure Active Directory domain 77

tenant 50 Azure Active Directory duty roster 128,
assign to business role 46 130
assign to cost center 46 disabled service plan
assign to department 46 add to IT Shop 134, 144
assign to employee 45, 48 add to system role 143
assign to location 46 assign to business role 141
assign to system roles 48 assign to cost center 140
create 36 assign to department 140
delete 51 assign to location 140
IT operating data 41-42 assign user account 93, 139, 142
manage level 38 category 146
architecture overview 8 edit 138
Azure Active Directory effective 146
use case 14 exclusion 146
Azure Active Directory administrator Azure Active Directory group

role 118 add to IT Shop 109
add to IT Shop 124 add to system role 109
add to system role 123 alias 103
assign extended properties 127 assign extended properties 116
assign to business role 122 assign group 111
assign to cost center 120 assign to business role 107
assign to department 120 assign to cost center 106
assign to location 120 assign to department 106
assign user account 91, 120, 123 assign to location 106
category 118, 126 assign user account 91, 105, 108
display name 118

Index
category 103, 114 edit 73
delete 117 employee assignment 96
distribution group 102 local Active Directory 76
edit 103 Overview of all Assignments 149
effective 112 report 148
email address 103 synchronization 74
exclusion 112 target system manager 9, 65, 74
group type 102-103 Azure Active Directory user account
mail-enabled security policy 102 account definition 50, 85
Office 365 group 102 account manager 88
owner 116 administrative user account 80
risk index 103 alias 85
security group 102-103 assign administrator role 91, 123
service item 103 assign disabled service plan 93, 142
tenant 103 assign employee 79, 84-85, 94
Azure Active Directory license 128 assign extended properties 93
Azure Active Directory subscription 128 assign group 91, 108
add to IT Shop 134 assign subscription 92, 133
add to system role 133 category 85, 114, 126, 137, 146
assign extended properties 137, 147 company 88
assign to business role 132 default user accounts 80
assign to cost center 131 delete 100
assign to department 131 department 88
assign to location 131 disable 85, 99
assign user account 92, 130, 133, domain 85
139
email address 85, 88
category 137
employee 85
edit 128
identity 80, 85
effective 136
Immutable identifier 89
exclusion 136
inherit group 85
Azure Active Directory tenant
job description 88
account definition 74
local user account 89
account definition (initial) 50
location 85
application roles 9
lock 100
category 76, 114, 126, 137, 146
login name 85

Index
manage 79 I
manage level 85, 90
IT operating data
password 85
change 44
initial 62
IT Shop shelf
password policies 85
assign account definition 49
privileged user account 80, 85
proxy address 88
J
restore 100
risk index 85 Job server
set up 84 edit 15
SID 89
tenant 85 L
town 88 login data 63
type 80
M
C
membership
calculation schedule modify provisioning 31
disable 32
configuration parameter 151
N
notification 63
D
direction of synchronization
O
direction target system 18, 27
object
in the Manager 18
delete immediately 29
outstanding 29
E
publish 29
email notification 63 One Identity Manager
employee assignment administrator 9
automatic 94 register as application 14
manual 97 target system administrator 9
remove 97 target system manager 9
search criteria 96 Target System Managersr 65
table column 96
exclusion definition 112, 136, 146

Index
user 9 update 28
outstanding object 29 synchronization
authorizations 13
P base object
create 27
password
configure 18, 25
initial 63
connection parameter 18, 25, 27
password policy 53
different domains 27
assign 60
extended schema 27
character sets 56
prevent 32
check password 60
scope 25
conversion script 57-58
set up 12
default policy 54, 60
start 18
display name 54
synchronization project
edit 54
create 18
error message 54
target system schema 27
excluded list 59
user 13
failed logins 55
variable 25
generate password 60
variable set 27
initial password 55
workflow 18, 27
name components 55
synchronization analysis report 32
password age 55
synchronization configuration
password cycle 55
customize 25, 27
password length 55
synchronization log 24
password strength 55
synchronization project
predefined 53
create 18
test script 57
disable 32
project template 154
edit 77
provisioning
project template 154
members list 31
synchronization server
configure 15
S install 15
schema Job server 15
changes 28 synchronization workflow
shrink 28 create 18, 27

Index
T
target system synchronization 29
template
IT operating data, modify 44
U
user account
administrative user account 80
apply template 44
default user accounts 80
identity 80
password
notification 63
privileged user account 80
type 80

Index

OneIM AzureActiveDirectory Administration

Uploaded by

Copyright:

Available Formats

OneIM AzureActiveDirectory Administration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OneIM AzureActiveDirectory Administration

Uploaded by

Copyright:

Available Formats

One Identity Manager 8.

Administration Guide for Connecting

WARNING: A WARNING icon indicates a potential for property damage,

CAUTION: A CAUTION icon indicates potential damage to hardware or loss

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting

Managing Azure Active Directory Environments 8

Setting Up Synchronization with an Azure Active Directory Tenant 12

Base Data for Managing Azure Active Directory 34

One Identity Manager 8.0 Administration Guide for Connecting to

Azure Active Directory Core Directories 73

Azure Active Directory User Accounts 79

One Identity Manager 8.0 Administration Guide for Connecting to

Azure Active Directory Groups 102

One Identity Manager 8.0 Administration Guide for Connecting to

Azure Active Directory Administrator Roles 118

Azure Active Directory Subscriptions and Service Plans 128

One Identity Manager 8.0 Administration Guide for Connecting to

Reports about Azure Active Directory Objects 148

Appendix: Configuration Parameters for Managing Azure Active Directory 151

Appendix: Default Project Template for Azure Active Directory 154

One Identity Manager 8.0 Administration Guide for Connecting to

Managing Azure Active Directory

One Identity Manager 8.0 Administration Guide for Connecting to

One Identity Manager Users for

Target system admin- Target system administrators must be assigned to the

l Administrate application roles for individual target

One Identity Manager 8.0 Administration Guide for Connecting to

l Authorize other employee to be target system admin-

Target system Target system managers must be assigned to the application

l Assume administrative tasks for the target system.

One Identity Manager l Create customized permissions groups for application

Administrators for the Administrators must be assigned to the application role

l Assign to IT Shop structures.

One Identity Manager 8.0 Administration Guide for Connecting to

IT Shop Request & Fulfillment | IT Shop | Product owners or an

l Approve through requests.

Administrators for Administrators must be assigned to the application role

l Assign to departments, cost centers and locations.

Business roles admin- Administrators must be assigned to the application role

l Assign to business roles.

One Identity Manager 8.0 Administration Guide for Connecting to

Setting Up Synchronization with an

Detailed information about this topic

One Identity Manager 8.0 Administration Guide for Connecting to

Users and Permissions for

Table 2: Users for Synchronization

l Member in the organization role "Global administrator".

NOTE: If the One Identity Manager Service runs under the

l %ProgramFiles(x86)%\One Identity (on 32-bit operating

One Identity Manager 8.0 Administration Guide for Connecting to

l %ProgramFiles%\One Identity (on 64-bit operating systems)

Integrating One Identity Manager into

To configure the One Identity Manager as an application in Azure Active

1. Log on to the Microsoft Azure Management Portal

One Identity Manager 8.0 Administration Guide for Connecting to

l Creating a Synchronization Project for initial Synchronization of an Azure Active

Setting Up the Synchronization Server

l Windows operating system

NOTE: Microsoft .NET Framework version 4.6 is not supported.

NOTE: Take the target system manufacturer's recommendations into account.