Contact us at 408.675.5020 or sales@identitymaestro.com

Home Page

Knowledge Base Search     Advanced

Complete Post-Setup Wizard Changes for AD and Office 365

Article ID: 1738
Last updated: 06 Aug, 2018

You need to make the following changes to enable Identity Maestro modules in the *Sample Sandbox* environment that the Setup Wizard created:

Create License Profiles (Office 365 only)

Identity Maestro includes a MMC plug-in to create an Azure License Profile Manager utility.  This procedure will activate the plug-in, build a MMC utility and create two license profiles.

Activate the MMC Snap-In

  1. Use Windows Explorer to navigate to [install path]\Omni\IdentityMaestro\WorkflowEngine\RemoteAgents\Omni.RA.Microsoft.AzureAD.Agent\MMC
  2. Right-click the Omni.RA.Microsoft.AzureAD.MMC.exe file and select Run as administrator.
  3. In the User Access Control window, click Yes.
  4. In the Install / Uninstall MMC Snap-in application, click Install.


     
  5. Confirm that Is Snap-in installed is checked and Close the application.

Create the MMC Utility

  1. Launch MMC using Run as administrator.
  2. In the MMC Console1 window, select File > Add/Remove Snap-in.
  3. Select the Remote Agent for Azure Active Directory from the Available snap-ins list and click the Add button. 


     
  4. In the Connect to Remote Agent window, click the Test Connection to Remote Agent button. You do not have to provide any login credentials as the connection uses a security token.
  5. Confirm that the connection test confirms that the connection is working and click OK.


     
  6. Confirm that the Remote Agent for Azure AD is in the Selected snap-ins list, and click OK.
  7. In the MMC Console1 window, select File > Save as and save this console to the Desktop as Azure License Profile Manager.

Create License Profiles

  1. In the MMC Console1 window, you will see a navigation pane (left), a details pane (Center), and an Actions pane (right).  You need to right click the Remote Agent for Azure AD node to expand the navigation.


     
  2. Expand the Remote Agent connection and the refresh AD domain node(s).
  3. Expand the AD domain connection and refresh the Licensing node.
  4. Click the Licensing node and click the Create New Licensing Profile in the Actions pane.


     
  5. In the Create New Licensing Profile window, provide a profile name (must be lower case), and click Create Profile and Close.


     
  6. Use the same steps to create a second profile (optional).  In our examples, we create a staff and contractors profile, each get configured with different applications (service plans).
  7. In the Details pane, there is a grid that displays each application included in the total of all the license SKUs combined together.  Click the first application (Azure documentation refers to these as service plans).  Each SKU has a dedicated tab that is used and the current license count information is displayed in the top left.



    Each license profile has a dedicated column.  To disable an application, remove the checkmark for the application in the column of the license profile.



    If all the applications of a license SKU are disabled (unchecked), Identity Maestro will not assign a license count for that SKU when assigning license SKUs and applications to Azure AD users assigned to that license profile.
     
  8. Once all the license profiles are configured with enabled applications, ensure that you select the Update All Profiles option in the Actions panel.


     
  9. Select File > Save as to ensure that all changes have been saved to the MMC console.
  10. IMPORTANT:  Reset the IIS server to ensure that the license profiles are loaded into the Remote Agent server and the Identity Maestro server.
     

Reset the Passwords for the Identity Maestro Role Users

Let’s take a quick look at the users and groups that Identity Maestro created in the Active Directory domain.

  1. Login in as imadmin password Demo!2345678.
  2. The Operator Panel will display the default menu and the Manage module page.  In the Manage module, you can search for objects or browse the Directory for objects.  If you add ima to the Object Name field and click Search, Identity Maestro will search for and display all users, groups and contacts that contain the character string ima in the object name.


     
  3. Select the Browse tab.  Expand the domain name and the Identity Maestro container.  Click on the Identity Maestro container.  Users, contacts and groups in that container will be displayed.



    Notice that you cannot see any other AD containers.  Identity Maestro installs in a sandbox mode with pre-configured Identity Maestro Roles, with corresponding access controls limited to the Identity Maestro container only.  This permits administrators to learn what Identity Maestro can do before enabling access to other containers in the AD domain.
     
  4. If you click the Username column header, it will sort the list by username and in this instance list all the users together in alphabetical order by username.  You can right click the imadmin user and select Reset Password to reset the user password to a different value.


     
  5. You can also bulk reset the password for multiple users.  In this case if you use Shift + Click to select all the im users except imadmin, then right-click the list and select Reset Password to reset the user password for all those users to a new common password.


     
  6. Choose Specify password, type in a value and click Reset.


     
  7. Identity Maestro will confirm the password changes.  You can even export a list of usernames and passwords (optional).  Click Close.

Configure the Office 365 Custom Tasks

There is some configuration work that needs to be done in various Manage custom tasks to ensure that O365 custom tasks will use the Office 365 email domain.

  1. Select ADMINISTRATION in the main menu.


     
  2. Identity Maestro will display Step 2 in the Manage module by default.  This displays the four IM Roles that are configured.


     
  3. We need to set the email domain name and license profile in some of the O365 custom tasks.  Click Step 5: Configure  Custom Tasks.
  4. Select the O365 Apply License Profile task, select the Form Fields tab, and select the O365 License Profile field.
  5. In the Details pane, add Staff Profile to the Display Text field and staff to the Value field. Click the Add button to add this option to the Values list.


     
  6. Add Contractors Profile to the Display text field and contractors to the Value field and click Add to add this to the Values list.
  7. Select the Profile Name | profile selection in the Values list and click the X button to remove it from the Values list.


     
  8. Confirm that only staff and contractors are in the Values list and Save this change.



    Note:  In Identity Maestro, you must Save your changes before changing focus to a different field or moving to a different form or page view, otherwise all your work will be lost.  The Save option writes the changes to the applicable .config files.  OPTIONS > Apply Settings will load the modified .config files into IIS server cache and apply them to the Identity Maestro websites without requiring an IISRESET.
     
  9. Select the O365 Usage Location field.  This field is used to assign a location value to the Office 365 user when applying a license profile.  This field uses a plain text label to represent the country, e.g. Canada and the ISO country abbreviation, e.g. CA.  If you want to add a new location, type in the Country Name in the Display text field and the ISO country abbreviation to the Values field, and click Add to add the selection to the Values list.



    If you add one or more countries to this list, click Save.
     
  10. Choose OPTIONS > Apply Settings to all changes to the O365 Apply License Profile.
  11. Select the O365 Provision User custom task, select the Form Fields tab. 
  12. Repeat steps 4 to 10 to set corresponding values to the same O365 License Profile and O365 Usage Location fields.
  13. Expand the O365 User Contact Info section and select the O365 Email Autocomplete field. Click the edit icon beside the Pattern option field.


     
  14. In the Autocomplete Pattern Builder window, add the email domain name for your Office 365 email subscription (e.g. @democotest.com) and click Add segment.


     
  15. In the Pattern segments section, select the Seperator ‘@emaildomainname segment that you just created. Click the Move Up button until you move the segment so that it is above the Seperator ‘@example.com’ segment.


     
  16. Select the Seperator ‘@example.com’ segment and click the Remove button.
  17. Confirm that the Seperator ‘@example.com’ segment is not visible in the Pattern segments list and click Save.
  18. Confirm that the configured domain name is now visible in the pattern.


     
  19. Save the change to the O365 Email Autocomplete field.
  20. Select OPTIONS > Apply Settings to save the changes and activate them in the Identity Maestro website.

Check and Configure Task Assignments

There is some configuration work that needs to be done in various Manage custom tasks to ensure that O365 custom tasks will use the Office 365 email domain.

  1. In the MANAGE module, select Step 2: Assign Groups to Tasks.
  2. Select the Identity Maestro\IM Admins Role assignment.
  3. Confirm that the Search Contexts tab is selected and confirm that the scope is properly defined.



    This is how you confirm the scope (search context).


     

    System ID specifies the name of the target system.  In this example it is an AD domain called democotest.com.

    Path defines the top level OU container that starts the search scope.  This defines that users assigned to this task assignment can search objects in the Identity Maestro container.

    Binoculars column is displaying an org chart icon that designates that search is permitted in this OU container and all child OU containers.

    X column would define this search context as an excluded OU container.  This can be used to define a child container to the parent OU container as an excluded container for search.

    Folder with magnifying glass column indicates that the Browse feature is enabled for this search context.

    Pencil icon is used to edit this search context.

    Trash can icon is used to delete the search context.

    A minimum of one search context must be defined for a task assignment, otherwise it will not work.

  4. Select the Mail Stores tab.
  5. Check the check boxes for the Enabled column.  This is required to permit management of mailbox servers including Office 365 mailboxes that are related to the defined target system.



    Checking Deny applies an explicit deny that over-rides all Enabled selections in any task assignment that is assigned to the users in the Group Members for this assignment.  Be careful when applying this assignment as it is difficult to troubleshoot a Deny.

     
  6. Select the Group Members tab to confirm which users will be assigned to this task assignment.


     
  7. Save your changes to the Mail Stores.
  8. Repeat steps 3 to 7 for the rest of the task assignments:


     

Configure Office 365 Create User Forms

The Setup Wizard installed a set of create form templates which are all labelled with (Template) in the form name.  It also created a set of create forms that will be used for the Sample OU that is part of the “sandbox” setup.  The Setup Wizard also added create profiles that use the Sample create forms.

Create Forms are the forms that collect information that will be used to create a new user, group or contact object.  You normally add create forms to cover unique differences between types of users.

Create Profiles is what relates a create form to a create workflow.  Users are assigned to a create profile which will enable the create module for that user and displays the create form for them to use.  You normally build create forms to create users in different OU containers or to add them to different groups during the create process.

There is some work that needs to be done in the Office 365 user create form(s) to ensure that Identity Maestro configuration will match your Office 365 email domain.

Modify the User Create Forms for Hybrid Environments

Use this procedure if your AD domain IS being synced with your Office 365 subscription using ADCONNECT.  Use this procedure for the AD and Hybrid O365 User (Template) form and the Sample AD and O365 User (Hybrid) form.

In this scenario, ADCONNECT will automatically create the user in Azure AD and copy the user contact information from AD on-premise to Azure AD.  In reality, all Identity Maestro has to do is create a user in the domain containers that are in-scope for the ADCONNECT service.  Once the user is created in Azure AD, administrators can use the MANAGE > O365 Apply License Profile task to license the user in Office 365.

  1. In the ADMINISTRATION panel, select the CREATE menu option.
  2. In Step 1 – Configure Create Forms select the AD and Hybrid O365 User (Template)  or the Sample AD and O365 User (Hybrid) create form.


     
  3. Select the Email Address field.

    Notice that the Pattern uses @example.com as the domain name.  This needs to be changed to use the actual email domain name.
     
  4. Click the edit icon next to the Pattern field.
  5. In the Autocomplete Pattern Builder window, add your email domain (e.g. @democotest.com) to the Separator field and click Add Segment.


     
  6. In the Pattern segments list, select your email domain (e.g. Separator ‘@democotest.com’) and click the Move button until the entry is immediately above the Separator ‘@example.com’ entry.


     
  7. Select the Separator ‘@example.com’ entry and click the Remove button.
  8. Click Save to save the settings and close the pattern builder window.
  9. Confirm that the Pattern now displays your email domain.


     
  10. Click Save to save the changes.
  11. Select OPTIONS >Apply Settings to apply the changes to the create profile and form.

Modify the User Create Forms for Disconnected Environments

Use this procedure if your AD domain IS NOT being synced with your Office 365 subscription using ADCONNECT.  We refer to this as a Disconnected Scenario.  Use this procedure for the AD and O365 User (Template) create form and the Sample AD and O365 User create form.

In this scenario, Identity Maestro will run a workflow that will create an Azure AD user that is a copy of the AD user that is being created. In this scenario, the create form includes form fields that copies field values from the new on-premise AD user into fields that will be used to create the corresponding Azure AD user.  In addition, this form includes defining the Azure license profiles and the Azure Usage Location values.

  1. In the ADMINISTRATION panel, select the CREATE menu option.
  2. Select Step 1 – Configure Create Forms.
  3. Select the AD and O365 User (Template) form or the Sample AD and O365 User form.
  4. In the Fields column, expand the Personal Information section and select the Office 365 Email field.

    Notice that the Pattern uses @example.com as the domain name.  This needs to be changed to use the actual email domain name.
     
  5. Click the edit icon next to the Pattern field.
  6. In the Autocomplete Pattern Builder window, add your email domain (e.g. @democotest.com) to the Separator field and click Add Segment.


     
  7. In the Pattern segments list, select your email domain (e.g. Separator ‘@democotest.com’) and click the Move button until the entry is immediately above the Separator ‘@example.com’ entry.


     
  8. Select the Separator ‘@example.com’ entry and click the Remove button.
  9. Click Save to save the settings and close the pattern builder window.
  10. Confirm that the Pattern now displays your email domain.


     
  11. Click Save to save the changes.

    Now we need to set the Office 365 license options to match the license profiles you built previously, and to set the correct list of countries for the Usage Location field.
     
  12. Expand the Office 365 License section and select the License Profile field.
  13. Add values for the Display text and Value fields for each license profile (e.g. Display text: Staff Profile and Value of staff).


     
  14. Once all the license profiles have been added, select the profilename | Profile Name from MMC listing and click the X button to remove that from the list.


     
  15. Click Save to save the changes.
  16. Select the Usage Location field. This field contains values for Canada and the United States. The Display Text is the value that will be displayed in the drop-down while the Value must be the ISO country abbreviation.
  17. (Optional) To add an additional country, add a valid Country (e.g. United Kingdom | UK).


     
  18. Click Save to save the changes.
  19. Select OPTIONS >Apply Settings to apply the changes to the create profile and form.

This completes all the required changes.  Feel free to examine all the create forms and create profiles and make any adjustments to match your environment.

This article was:   Helpful | Not helpful Report an issue


Article ID: 1738
Last updated: 06 Aug, 2018
Revision: 1
Views: 108
Comments: 0
print  Print email  Email to friend share  Share pool  Add to pool comment  Add comment
Prev     Next
How to Enable Access to the Administration Panel for Active...       Perform an Initial Login as the eDirectory Connection Service...