A.2 Global Configuration Values

Global configuration values (GCVs) are values that can be used by the driver to control functionality. GCVs are defined on the driver or on the driver set. Driver set GCVs can be used by all drivers in the driver set. Driver GCVs can be used only by the driver on which they are defined.

The Azure AD driver includes several predefined GCVs. You can also add your own if you need additional ones as you implement policies in the driver.

To access the driver’s GCVs in iManager:

  1. Click to display the Identity Manager Administration page.

  2. Open the driver set that contains the driver whose properties you want to edit:

    1. In the Administration list, click Identity Manager Overview.

    2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.

    3. Click the driver set to open the Driver Set Overview page.

  3. Locate the Azure AD driver icon, click the upper right corner of the driver icon to display the Actions menu, then click Edit Properties.

    or

    To add a GCV to the driver set, click Driver Set, then click Edit Driver Set properties.

To access the driver’s GCVs in Designer:

  1. Open a project in the Modeler.

  2. Right-click the Azure AD driver icon or line, then select Properties > Global Configuration Values.

    or

    To add a GCV to the driver set, right-click the driver set icon , then click Properties > GCVs.

The global configuration values are organized as follows:

A.2.1 Password Synchronization

These GCVs enable password synchronization between the Identity Vault and the Azure AD system.

In Designer, you must click the icon next to a GCV to edit it. This displays the Password Synchronization Options dialog box for a better view of the relationship between the different GCVs.

In iManager, you should edit the Password Management Options on the Server Variables tab rather than under the GCVs. The Server Variables page has a better view of the relationship between the different GCVs.

Connected System or Driver Name: Specify the name of the Azure AD system or the driver name. This value is used by the e-mail notification template to identify the source of the notification message.

Application accepts passwords from Identity Manager: If True, allows passwords to flow from the Identity Manager data store to the connected system.

Identity Manager accepts passwords from application: If True, allows passwords to flow from the connected system to Identity Manager.

Publish passwords to NDS password: If True, uses the password from the connected system to set the non-reversible NDS password in eDirectory.

Publish passwords to Distribution Password: If True, uses the password from the connected system to set the NMAS Distribution Password used for Identity Manager password synchronization.

Require password policy validation before publishing passwords: If True, applies NMAS password policies during publish password operations. The password is not written to the data store if it does not comply.

Reset user’s external system password to the Identity Manager password on failure: If True, on a publish Distribution Password failure, attempt to reset the password in the connected system by using the Distribution Password from the Identity Manager data store.

Notify the user of password synchronization failure via e-mail: If True, notify the user by e-mail of any password synchronization failures.

A.2.2 Driver Configuration

The following GCVs contain configuration information for the Azure AD driver. They are divided into the following categories:

Synchronization Settings

Use the following GCVs to control how the driver is configured:

Office 365 settings

  • Domain Name: Specify the Office 365 site context using the admincentral.onmicrosoft.com format.

  • Identities to be synchronized: Specify whether the driver should synchronize identities from AD or configure the Identity Vault to act as the identity provider.

    If you choose to configure the Identity Vault as an identity provider, association to any other directory is not required.

    When you choose to synchronize identity from AD, you can synchronize only users that have an association with AD. If you are using the driver in hybrid mode, select only AD option. This enables the driver to synchronize the identities from the Identity Vault to AD from where the identities will be synchronized to Azure AD cloud through Azure AD Connect.

  • Usage Location: Specify the two letter country code of the user availing Office 365 services.

  • Enable Hybrid Operation Mode: If Yes, the driver will provision only Roles and License entitlements while the users and groups are provisioned by the AD driver. To run the driver in normal mode, set the option to No.

A.2.3 Account Tracking

Account tracking is part of Identity Reporting.

Enable Account Tracking: Set this to True to enable account tracking policies. Set it to False if you do not want to execute account tracking policies.

Realm: Specify the name of the realm, security domain, or namespace in which the account name is unique. You must set the Realm to the Office 365 Domain Name.

Object Class: Add the object class to track. Class names must be in the application namespace.

Identifiers: Add the account identifier attributes. Attribute names must be in the application namespace.

Status attribute: Specify the name of the attribute in the application namespace to represent the account status.

Status active value: Value of the status attribute that represents an active state.

Status inactive value: Value of the status attribute that represents an inactive state.

Subscription Default Status: Select the default status that the policies assume when an object is subscribed to the application and the status attribute is not set in the Identity Vault. The options are:

  • Active

  • Inactive

  • Undefined

  • Uninitialized

Publication Default Status: Select the default status that the policies assume when an object is published to the Identity Vault and the status attribute is not set in the application. The options are:

  • Active

  • Inactive

  • Undefined

  • Uninitialized

A.2.4 Exchange Role Entitlement

This entitlement is supported if you have upgraded to the 5.0.1 version of the driver. You need to import the Azure AD Exchange Role Entitlement package to use this entitlement.

NOTE:Before you use this entitlement, ensure that exchange service is running.

Use Exchange Roles Entitlement: Select True to enable the driver to manage exchange roles based on the driver’s defined entitlements.

Advanced Settings: To enable the advanced settings such as data collection, role mapping, and resource mapping, select Show.

  • Allow data collection from exchange roles: Select Yes if you want to allow data collection by Data Collection Service for exchange roles.

  • Allow role mapping of exchange roles: Select Yes if you want to allow mapping of exchange roles in Identity Applications.

  • Allow resource mapping of exchange roles: Select Yes if you want to allow mapping of exchange roles in Identity Reporting.

  • Exchange Role extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

A.2.5 Entitlements

There are multiple sections in the Entitlements tab. Depending on which packages you installed, different options are enabled or displayed.

Entitlements

Use User Account Entitlement: Entitlements act like an On/Off switch to control account access. Enable the driver for entitlements to create accounts, and remove/disable it when the account entitlement is granted to or revoked from users. If you select True, user accounts in Azure AD can be controlled by using entitlements.

NOTE:User Account Entitlement is supported in cloud-only mode. It is not supported in hybrid mode.

  • Enable Login Disabled attribute sync: Specify whether the driver syncs the changes made to the Login Disabled attribute in the Identity Vault even if the User Account entitlement is enabled.

  • When account entitlement revoked: Select the desired action in the Azure AD database when a User Account entitlement is revoked from an Identity Vault user. The options are Disable Account or Delete Account.

Use Group Membership Entitlement: Select True to enable the driver to manage Azure AD group membership based on the driver’s Group entitlement.

Select False to disable management of group membership based on entitlement.

Use License Entitlement: Select True to enable the driver to manage licenses based on the driver’s defined entitlements. To assign multiple Azure AD licenses, you must create multiple resources on user application. This is required because an Azure AD license entitlement can have only single value.

Use Roles Entitlement: Select True to enable the driver to manage roles based on the driver’s defined entitlements. Select False to disable management of role assignments for users based on the entitlements.

Teams Entitlement: Select True to enable the driver to manage roles based on the driver’s defined entitlements. Select False to disable management of Teams assignments for users based on the entitlements.

  • Add User as Owner to Team - Select “Yes” to add the User as “Owner” to Team.

Channel Entitlement: Select True to enable the driver to manage roles based on the driver’s defined entitlements. Select False to disable management of channel assignments for users based on the entitlements.

  • Add User as Owner to Channel - Select “Yes” to add the User as “Owner” to Channel.

  • Team and Channel Name Separator - Specify the character to separate Team and Channel name. For example: Team::Channel

SKU Entitlement: Ensure the value of this parameter is set to true to enable the driver to manage SKU Subscription assignment s based on the entitlement. By default, the value is set to True.

Data Collection

Data collection enables Identity Reporting to gather information to generate reports.

Enable data collection: Select Yes to enable data collection for the driver through Data Collection Service by the Managed System Gateway driver. If you are not going to run reports on data collected by this driver, select No.

Allow data collection from user accounts: Select Yes to allow data collection by Data Collection Service for user accounts.

Allow data collection from groups: Select Yes to allow data collection by Data Collection Service through the Managed System Gateway driver for groups.

Allow data collection from licenses: Select Yes to allow data collection by Data Collection Service for licenses.

Allow data collection from Roles: Select Yes to allow data collection by Data Collection Service for roles.

Allow data collection from SKU: Select Yes to allow data collection by Data Collection Service for SKU.

Allow data collection from Teams: Select Yes to allow data collection by Data Collection Service for teams.

Allow data collection from Channels: Select Yes to allow data collection by Data Collection Service for channels.

Role Mapping

Identity Applications allow you to map business roles with IT roles.

Enable role mapping: Select Yes to make this driver visible to Identity Applications.

Allow mapping of user accounts: Select Yes if you want to allow mapping of user accounts in the Identity Applications. An account is required before a role, profile, or license can be granted through Identity Applications.

Allow mapping of groups: Select Yes if you want to allow mapping of groups in Identity Applications.

Allow mapping of licenses: Select Yes if you want allow mapping of licenses in Identity Applications.

Allow mapping of Roles: Select Yes if you want allow mapping of roles in Identity Applications.

Allow mapping of SKU: Select Yes if you want allow mapping of SKU in Identity Applications.

Allow mapping of Teams: Select Yes if you want allow mapping of teams in Identity Applications.

Allow mapping of Channels: Select Yes if you want allow mapping of channels in Identity Applications.

Resource Mapping

The Identity Applications allow you to map resources to users.

Enable resource mapping: Select Yes to make this driver visible to Identity Applications.

Allow mapping of user accounts: Select Yes if you want to allow mapping of user accounts in Identity Applications. An account is required before a role, profile, or license can be granted.

Allow mapping of licenses: Select Yes if you want to allow mapping of licenses in Identity Applications.

Allow mapping of Exchange mailboxes: Select Yes if you want to allow mapping of roles in Identity Applications.

Allow mapping of SKU: Select Yes if you want to allow mapping of SKU in Identity Applications.

Allow mapping of Teams: Select Yes if you want to allow mapping of teams in Identity Applications.

Allow mapping of Channels: Select Yes if you want to allow mapping of channels in Identity Applications.

Entitlement Extensions

User account extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

Group extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

License extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

Role extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

SKU extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

Team extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

Channel extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

A.2.6 Managed System Information

These settings help Identity Reporting function to generate reports. There are different sections in the Managed System Information tab.

General Information

Name: Specify a descriptive name for the managed system.

Description: Specify a brief description of the managed system.

Location: Specify the physical location of the managed system.

Vendor: Select Microsoft as the vendor of the managed system.

Version: Specify the version of the managed system.

System Ownership

Business Owner: Browse to and select the business owner in the Identity Vault for the connected application. You must select a user object, not a role, group, or container.

Application Owner: Browse to and select the application owner in the Identity Vault for the connected application. You must select a user object, not a role, group, or container.

System Classification

Classification: Select the classification of the connected application. This information is displayed in the reports. The options are:

  • Mission-Critical

  • Vital

  • Not-Critical

  • Other

    If you select Other, you must specify a custom classification for the connected application.

Environment: Select the type of environment the connected application provides. The options are:

  • Development

  • Test

  • Staging

  • Production

  • Other

    If you select Other, you must specify a custom classification for the connected application.

Connection and Miscellaneous Information

Connection and miscellaneous information: This set of options is always set to hide, so that you do not make changes to these options. These options are system options that are necessary for reporting to work.