With an active Azure account and one or more Azure tenants, you can configure DRA to work with Azure Active Directory to manage user and group objects. These objects include users and groups created in Azure and users and groups synchronized with the Azure tenant from DRA managed domains.
The Azure PowerShell modules, Azure Active Directory and Azure Resource Manager Profile, are required to manage Azure tasks. You also need an account in Azure Active Directory. For information on Azure tenant access account permissions, see Least Privilege DRA Access Accounts.
IMPORTANT:Operations on Azure objects such as create, modify, delete, disable, and enable are not supported in the Delegation and Configuration Console.
Either you can use the DRA Administrator or an assistant administrator with the delegated role “Configure Servers and Domains” to manage Azure tenants and the Azure built-in roles are required to manage Azure objects.
For delegating Azure objects, assign the following Azure roles:
Azure Group Administration: Provides all the powers required to manage Azure groups and Azure group membership.
Azure User Administration: Provides all the powers required to manage Azure users.
Use the following powers to delegate the creation and management of Azure users and groups.
Azure User Account Powers:
Create Azure User and Modify All Properties
Delete Azure User Account Permanently
Manage Sign-In for Azure Users
Manage Sign-In for Azure Users Synced to Azure Tenant
Modify All Azure User Properties
Reset Azure User Account Password
View All Azure User Properties
Azure Group Powers:
Add Object to Azure Group
Create Azure Group and Modify All Properties
Delete Azure Group Account
Modify All Azure Group Properties
Remove Object from Azure Group
View All Azure Group Properties
To manage granular level properties for Azure users or groups, you can create custom powers by selecting specified object attributes.
The following Azure group types are supported:
Distribution List
Mail-enabled Security
Office 365
Security
NOTE:Guest users created in Azure is not supported.
To manage a new Azure tenant, add the new tenant by completing an Azure application in the Delegation and Configuration Console. DRA supports creating the Azure application both online and offline and requires an Azure application with the following permissions in order to manage objects in the tenant:
Read and write all users' full profiles
Read and write all groups
Read directory data
These permissions will be granted automatically to the Azure application both Online and Offline approach.
To create an Azure Application online and to add a tenant:
Navigate to Configuration Management > Azure Tenants in the Delegation and Configuration Console.
Right-click Azure Tenants and select New Azure Tenant.
(Optional) Specify the source anchor attribute used to map your Active Directory objects to Azure during synchronization.
Specify the account used to access the Azure tenant, and then validate credentials.
For information on Azure tenant access account permissions, see Least Privilege DRA Access Accounts.
Select the Allow DRA to create the Azure application option.
Specify the credentials for a user account with the Azure AD Company Administrator role, and then validate credentials.
Click Finish.
Adding the Azure tenant might take several minutes. After the tenant is successfully added, DRA performs a full accounts cache refresh for the tenant and the added tenant is displayed in the Azure Tenants view pane.
NOTE:After the refresh completes, if you want to check the account status for all managed Azure tenants, install the msonline PowerShell module and then run the Tenant Accounts Overview check in the Health Check Utility. To install the module, run the install-module msonline command in PowerShell.
To create an Azure application offline for DRA and add a tenant:
Navigate to Configuration Management > Azure Tenants in the Delegation and Configuration Console.
Right-click Azure Tenants, and select New Azure Tenant.
(Optional) Specify the source anchor attribute used to map your Active Directory objects to Azure during synchronization.
Specify the account used to access the Azure tenant and then validate credentials.
Select the Create the Azure application offline option.
Launch a PowerShell session in the DRA Administration server, and navigate to C:\Program Files (x86)\NetIQ\DRA\SupportingFiles
Execute . .\NewDraAzureApplication.ps1 to load PowerShell.
Execute the New-DRAAzureApplication cmdlet to prompt for parameters.
Specify the following parameters for New-DraAzureApplication:
<name> - Name of the application from the tenant wizard.
IMPORTANT:Micro Focus recommends that you use the name specified in the DRA console.
(Optional) <environment> - Specify AzureCloud, AzureChinaCloud, AzureGermanyCloud, or AzureUSGovernment, depending on which tenant you are using.
In the Credential dialog, specify the Company Administrator credentials.
The Azure application ID and password are generated.
Copy the application ID and password into the DRA console (tenant wizard DRA Azure Application Credentials), and then validate credentials.
Click Finish.
Adding the azure tenant might take several minutes. After the tenant is successfully added, DRA performs a full accounts cache refresh for the tenant and then the added tenant displays in the Azure Tenants view pane.
NOTE:After the refresh completes, if you want to check the account status for all managed Azure tenants, install the msonline PowerShell module and then run the Tenant Accounts Overview check in the Health Check Utility. To install the module, run the install-module msonline command in PowerShell.
Follow the steps below if you need to reset an Azure password, whether online or offline, as applicable.
To reset an Azure application password for DRA using Azure Credentials:
Navigate to Configuration Management > Azure Tenants in the Delegation and Configuration Console.
Right-click the managed Azure tenant, and select Properties.
Click Azure Application in the Properties page.
Choose the Allow DRA to reset the password using your Azure Credentials option, and then specify the Azure credentials.
Apply the changes.
To reset an Azure application password for DRA offline:
Launch a PowerShell session in the DRA Administration server and navigate to C:\Program Files (x86)\NetIQ\DRA\SupportingFiles
Execute . .\ResetDraAzureApplicationPassword.ps1 to load PowerShell.
Execute the . .\ResetDraAzureApplicationPassword cmdlet to prompt for parameters.
Specify the following parameters for Reset-DRAAzureApplicationPassword:
<name> - Name of the application from the tenant wizard.
IMPORTANT:Micro Focus recommends that you use the name specified in the DRA console.
(Optional) <environment> - Specify AzureCloud, AzureChinaCloud, AzureGermanyCloud, or AzureUSGovernment, depending on which tenant you are using.
In the Credential dialog box, specify the Company Administrator credentials.
The Azure application ID and password are generated.
Copy the application ID and password into the DRA console (tenant wizard DRA Azure Application Credentials), and then validate credentials.
Open the Delegation and Configuration Console and navigate to Configuration Management > Azure Tenants.
Right-click an Azure tenant and go to Properties > Azure Application.
Choose the Reset the password offline using the supplied script option and then paste the Azure application password that is generated from the script.
Apply the changes