An administrator must use Designer to create the Azure AD driver.
The Azure AD driver is package-enabled and you must install and deploy the driver using Designer. You can use iManager to view and edit the deployed configuration. NetIQ recommends that you use Designer to perform any changes.
The driver packages contain the items required to create a driver, such as policies, entitlements, and filters. These packages are only available in Designer and can be updated after they are installed. You should use the most current version of the packages in the Package Catalog before you can create a new driver object.
Open Designer.
In the toolbar, click Help > Check for Package Updates.
Click OK to update the packages or click OK if the packages are up-to-date.
Right-click Package Catalog and then select Import Package.
Select any Azure AD driver packages.
or
Click Select All to import all of the packages displayed.
Click OK to import the selected packages, then click OK in the successfully imported package message.
After the packages are imported, continue with Installing the Driver Packages.
After you have imported the current driver packages into the Package Catalog, you can install the driver packages to create a new driver.
Open your project in Designer.
In the Modeler, right-click the driver set where you want to create the driver, then select New > Driver.
Alternatively, you can drag and drop the Azure AD driver icon from the Cloud section of the Designer palette.
In the Driver Configuration wizard, select the Azure AD Base package from the list of base packages, then click Next.
Select the optional features to install for the Azure AD driver. All options are selected by default. The options are:
Default Configuration: This package contains the default configuration information for the driver. Always leave this option selected.
NOTE:The Azure AD Default package and Azure AD Exchange Default package are included in Default Configuration package. By default, the Azure AD Exchange Default package is not selected. Select this package if you plan to use the Identity Manager Exchange Service.
Entitlements and License Support: This package contains configuration information and policies for synchronizing user accounts, group membership, roles and licenses. If you want to enable account creation and auditing through entitlements, verify that this option is selected.
To enable the hybrid mode, select the Azure AD Hybrid Entitlements package. In this mode, the driver supports only Roles and License entitlements.
Password Synchronization: This package contains the policies that enables the driver to synchronize passwords. If you want to synchronize passwords, ensure that this package is selected.
Account Tracking: This package contains the policies that enable you to track accounts for reports. If you are using the Identity Reporting Module, ensure that this package is selected.
Data Collection: This package contains the policies that enables the driver to collect data for reports. If you are using the Identity Manager Reporting Module, ensure that this package is selected.
Click Next.
(Conditional) If there are package dependencies for the packages you selected to install, you must install them to install the selected package. Click OK to install the package dependencies listed.
(Conditional) If more than one type of package dependency must be installed, you are presented with these packages separately. Click OK to install any additional package dependencies.
On the Driver Information page, specify a name for the driver, then click Next.
On the Driver Configuration page, fill in the following fields to configure the driver:
Authentication ID: Provide the authentication information while configuring the domain connections for the driver. This is a qualified userprincipalname on Azure AD with login permissions. For example, admin@domain.onmicrosoft.com
Password: Specify the password for the driver to authenticate to Azure AD.
Driver Options: To view the driver options, select Show.
Client ID: Specify the account name which the driver will use to access the Azure AD applications.
Client Secret: Specify the password for the Client ID to access the Azure AD applications.
NOTE:You created Client ID and Client Secret while creating a proxy application in Azure AD. For more information, see Creating a Proxy Application on Azure AD.
Show Schema Extensions Configuration: To show the schema extensions configuration options for the application (Azure AD), select Show.
Enable Hybrid Operation Mode: In hybrid mode, the driver provisions only roles and licenses while the users and groups are provisioned by the AD driver. By default, the parameter is set to Yes. If you want to run the driver in normal mode, set the option to No.
Activate Azure Directory Roles: By default, the driver obtains the roles that have been pre-activated in Azure Directory. If you want the driver to activate all Azure Directory roles, set this option to Yes. This fetches all the activated roles in Catalog Administrator. These roles are also available at the driver startup. Roles activation is one time activity and need not be performed again.To obtain only pre-activated roles, leave the setting unchanged.
Existing Schema Extensions: To retain the previously-loaded configuration from Azure AD, select Preserve. To remove existing configuration, specify Remove.
Add a schema extension: Specify appropriate configuration details while adding a schema extension. You can add multiple schema extensions if required.
Name of extension: Specify the name of the schema extension.
If you create multiple schema extensions with the same name, the driver uses the first extension in the list and ignores the remaining extensions that have the same name.
Type of extension: Specify the data type for the configured schema extension. Ensure that the data type is a supported schema extension type in Azure AD.
Target objects of extension: Lists the target objects for the schema extension. A schema extension can be extended to multiple target object classes. For example, if you have a schema extension called Title, it can be extended to a User and Group object classes.
NOTE:You can configure a maximum of hundred extensions on Azure AD.
Subscriber Options: To view the Subscriber options, select Show.
Truststore file: Specify the name and path of the truststore file containing the trusted certificates used when a remote server is configured to provide server authentication. This file will contain certificates for Azure Graph and Exchange Service. For example, c:\security\truststore.
Proxy Host and Port: When an HTTP proxy is used, specify the host address and the host port. For example, 192.10.1.3:18180. Otherwise, leave the field blank.
Exchange and Powershell Service: When Identity Manager Exchange Service is enabled, the driver synchronizes Exchange users and groups using this service.
Exchange Service URL: Specify the URL of the Identity Manager Exchange Service.
For example, https://<ip-addr>:<port>/ExchServer.
Office 365 Exchange Online: To initiate a connection with Exchange Online and synchronize Office 365 exchange users and groups, select Yes.
Queue Operations: To enable queuing of objects when synchronizing between Azure AD and Identity Manager Exchange Service, select True.
Page Size: Set a value for the number of results displayed per page during Exchange Publisher poll.
Trace location: Specify the custom path where you want to save the Identity Manager Exchange Service logs. By default, the logs will be saved in this component’s installation directory.
Trace Level: Set the trace level for the Identity Manager Exchange Service.
The driver supports five trace levels: NOTIFY, INFO, ERROR, MORE INFO, and DEBUG. The default trace level is NOTIFY. The next trace level, that is, INFO provides basic trace messages. ERROR provides some additional information than the previous level. Detailed messages are logged if you select INFO. DEBUG logs information on debugging data along with detailed messages.
Trace File Size Limit: Specify the trace file size limit in MB. The minimum value is 10 MB.
Database Password: Specify the database password. The driver uses this password to encrypt and connect to the Publisher cache. Ensure that the same password is used to reconnect to the cache at a later time.
Publisher Options: To view the Publisher options, select Show.
Enable Publisher: Allows you to enable or disable the Publisher connection for the driver.
Publisher Polling Interval: Specify a time period after which the driver should query Azure AD for new changes. The time is specified in minutes.
Heart Beat Interval: Allows the driver to send a periodic status message on the Publisher channel when there is no traffic for a specific duration. This indicates the time period at which the heart beat document is issued by the driver shim. The time is specified in minutes.
On the Remote Loader page, fill in the following fields to configure the driver to connect using the Remote Loader, then click Next:
Connect to Remote Loader: By default, the driver is configured to connect using the Remote Loader. Click Next to continue. Otherwise, fill in the remaining fields to configure the driver to connect using the Remote Loader.
Host Name: Specify the hostname or IP address of the server where the driver’s Remote Loader service is running.
Port: Specify the port number where the Remote Loader is installed and running. The default port number is 8090.
KMO: Specify the Key Name of the Key Material Object (KMO) that contains the keys and certificate the Remote Loader uses for an SSL connection. This parameter is only used when you use SSL for connections between the Remote Loader and the Identity Manager engine.
Other Parameters: Specify any other parameters required to connect to the Remote Loader. Any parameters specified must use a key-value pair format, as follows: paraName1=paraValue1 paraName2=paraValue2
Remote Password: Specify the Remote Loader’s password as defined on the Remote Loader. The Identity Manager server (or Remote Loader) requires this password to authenticate to the Remote Loader.
Driver Password: Specify the driver object password that is defined in the Remote Loader service. The Remote Loader requires this password to authenticate to the Identity Manager server.
On the Azure AD Base page, fill in the following fields, then click Next:
Domain Name: Specify the Azure AD domain site context. For example, <domain name>.onmicrosoft.com or <domain name>.com format.
Identities to be synchronized: Specify whether the driver should synchronize identities from AD or configure the Identity Vault to act as the identity provider.
If you choose to configure the Identity Vault as an identity provider, association to any other directory is not required.
When you choose to synchronize identity from AD, you can synchronize only users that have an association with AD. If you are using the driver in hybrid mode, select only AD option. This enables the driver to synchronize the identities from the Identity Vault to AD from where the identities will be synchronized to Azure AD cloud through Azure AD Connect.
Usage Location: Specify the two letter country code for the user availing the Office 365 services.
(Conditional) On the Install Azure AD Managed System Information page, fill in the following fields to define the ownership of Azure AD, then click Next:
General Information
Name: Specify a descriptive name for the managed system.
Description: Specify a brief description of the managed system.
Location: Specify the physical location of the managed system.
Vendor: Select the vendor of the managed system.
Version: Specify the version of the managed system.
System Ownership
Business Owner - Select a user object in the Identity Vault that is the business owner of Azure AD. This can only be a user object, not a role, group, or container.
Application Owner: Select a user object in the Identity Vault that is the application owner of Azure AD. This can only be a user object, not a role, group, or container.
This page is only displayed if you selected to install the Data Collection packages and the Account Tracking packages.
System Classification
Classification: Select the classification of Azure AD. This information is displayed in the reports. The options are as follows:
Mission-Critical
Vital
Not-Critical
Other
If you select Other, you must specify a custom classification for Azure AD.
Environment: Select the type of environment Azure AD provides. The options are as follows:
Development
Test
Staging
Production
Other
If you select Other, you must specify a custom environment for Azure AD.
On the Azure AD Password Synchronization page, fill in the following fields, then click Next:
Set Password Never Expires: If you set this option to True on the newly created users, the password does not expire for those users.
Disable Force Change Password at First Login: If you set this option to True, a user is not prompted to change the password when the user logs in to Azure AD for the first time.
Set Strong Password Required: If you set this option to True, the user needs to set a strong password.
On the Account Tracking page, specify the name of the realm, security domain, or namespace in which the account name is unique. You must set the Realm to the Azure AD domain name.
On the Confirm Installation Tasks page, review the summary of tasks and click Finish.
The driver is now created. You can modify the configuration settings by Configuring the Driver.
There are many settings that can help you customize and optimize the driver. The settings are divided into categories such as Driver Configuration, Engine Control Values, and Global Configuration Values (GCVs). Although it is important for you to understand all of the settings, your first priority should be to review the Driver Parameters located on the Driver Configuration page and the Global Configuration Values. These settings must be configured properly for the driver to start and function correctly. You can configure the driver with entitlements or with entitlements disabled.
To edit the properties, perform the following steps:
Open your project.
In the modeler, right-click the driver icon or the driver line, then select Properties.
Select Driver Configuration and configure the configuration properties.
Click GCVs > Entitlements and review the following settings:
NOTE:These settings are only displayed if you installed the Entitlements package. If you selected the Azure AD Hybrid Entitlements package, only Roles and License entitlements are supported with this package.
Use User Account Entitlement: Ensure the value of this parameter is set to true to enable the driver to manage user account permissions using the User Account entitlement. By default, the value is set to True.
Use Group Entitlement: Ensure the value of this parameter is set to true to enable the driver to manage group memberships using the Group entitlement. By default, the value is set to True.
IMPORTANT:If the values for Use User Account Entitlement and User Group Entitlement parameter is set to False, user and group membership synchronization is managed using the non-entitlement configuration method.
Use License Entitlement: Ensure the value of this parameter is set to true to enable the driver to manage licenses using the License entitlement. By default, the value is set to True.
Use Roles Entitlement: Ensure the value of this parameter is set to true to enable the driver to manage roles using the Roles entitlement. By default, the value is set to True.
Click Apply.
Modify any other settings as necessary.
In addition to the driver settings, you should review the set of default policies and rules provided by the basic driver configuration. Although these policies and rules are suitable for synchronizing with Azure AD, your synchronization requirements for the driver might differ from the default policies. If this is the case, you require customization.
Click OK when finished.
Continue with Deploying the Driver.
After a driver is created in Designer, it must be deployed into the Identity Vault.
In Designer, open your project.
In the Modeler, right-click the driver icon, then select Live > Deploy.
If you are authenticated to the Identity Vault, skip to Step 5; otherwise, specify the following information:
Host: Specify the IP address or DNS name of the server hosting the Identity Vault.
Username: Specify the DN of the user object used to authenticate to the Identity Vault.
Password: Specify the user’s password.
Click OK.
Read through the deployment summary, then click Deploy.
Click OK.
Click Define Security Equivalence to assign rights to the driver.
The driver requires rights to objects within the Identity Vault. The Admin user object is most often used to supply these rights. However, you might want to create a user account called DriversUser. Whatever rights that the driver needs to have on the server, the DriversUser object must have the same security rights.
Click Add, then browse to and select the object with the correct rights.
Click OK twice.
Click Exclude Administrative Roles to exclude users that should not be synchronized.
You should exclude any administrative User objects (for example, Admin and DriversUser) from synchronization.
Click Add, then browse to and select the user object you want to exclude.
Click OK.
Repeat Step 8a and Step 8b for each object you want to exclude.
Click OK.
Click OK.
When a driver is created, it is stopped by default. Identity Manager is an event-driven system and will start caching events as soon as the driver is deployed. These cached events will be processed once the driver is started.
To start the driver:
In Designer, open your project.
In the Modeler, right-click the driver icon, then select Live > Start Driver.