Setup Identity Maestro

On Azure Marketplace Virtual Machines

Identity Maestro is a simpler way for busy network and IT administrators to delegate user identity management and privileged access management tasks to front line staff using a powerful web portal tool. This guide provides details about how to install Identity Maestro, run the Setup Wizard and finish customizing custom tasks and create forms to support your email domain hosted in Azure AD and Office 365.

Issued July 2018

Page 2

Contents Welcome to this guide ............................................................................... 3

How to Get Help ...................................................................................... 3

Schedule a Get Started Bundle ..................................................................... 3

Azure Marketplace Virtual Machines .............................................................. 4

SSL Options............................................................................................. 5

Firewall Settings ...................................................................................... 5

Deploy an Azure Marketplace VM .................................................................. 6

Prepare Connection Service Accounts............................................................ 11

Active Directory .................................................................................................................. 11 Azure AD / Office 365 ......................................................................................................... 11

Run the Identity Maestro Installer ................................................................ 12

Apply SSL Certificates ............................................................................... 13

Create and Test Identity Maestro Connections ................................................. 14

Create and Test the Active Directory Connection ................................................................. 14 Notes about Active Directory Connections ........................................................................... 18 Create and Test Microsoft Online Connections .................................................................... 18 Notes about Microsoft Online Connections .......................................................................... 20

Precompile the Identity Maestro Websites. ..................................................... 21

Run the Setup Wizard ............................................................................... 21

Create Azure License Profiles ..................................................................... 27

Activate the MMC Plug-in ................................................................................................... 27 Create the MMC Utility........................................................................................................ 27 Create License Profiles....................................................................................................... 29

Reset Passwords for the Identity Maestro Role Users ......................................... 32

Configure Office 365 Custom Tasks ............................................................... 35

Check and Configure Tasks Assignments ......................................................... 40

Configure Office 365 Create User Forms ........................................................ 42

Modify the User Create Forms for Hybrid Environments ....................................................... 42 Modify the User Create Forms for Disconnected Environments ............................................ 45

Page 3

Welcome to this guide Welcome to this Setup Guide. This guide is for experienced IT staff who will install,

configure and manage an Identity Maestro server in an Azure subscription. This guide is

written for individuals with expertise with deploying Azure virtual machines, Azure VNets,

Azure VPNs and other security and administration tasks.

This guide is based on the 4.0.5 release of Identity Maestro and the focus is supporting

Active Directory on-premise environments that need to manage users in Azure Active

Directory and Office 365.

Please refer to the following online sources of information on this release:

• Identity Maestro 4 – Latest Release Notice

• Identity Maestro 4.0.5 Release Notes

• How to Upgrade Identity Maestro to the Latest Public Release

Identity Maestro needs to connect to an on-premise Active Directory domain in order to

manage Azure Active Directory.

Identity Maestro supports two Azure AD / Office 365 integration scenarios:

• Disconnected Mode – for those environments that do not use Azure AD Connect

to sync AD on-premise with Azure AD. Identity Maestro supports this mode for

user accounts only. Managing contacts and groups in Office 365 is not supported

at this time.

• Hybrid Mode – for environments that use Azure AD Connect or ADFS to sync AD

on-premise with Azure AD. In this mode, all changes made to AD on-premise

users, contacts and groups will sync to Azure AD and Office 365.

How to Get Help If you need assistance during an installation and setup of an Identity Maestro server,

contact the Identity Maestro Support Team.

Schedule a Get Started Bundle The Get Started Bundle (GSB) provides a structured installation and configuration of an

Identity Maestro server and connection agents in a customer’s environment by an Identity

Maestro Professional Services Team member. Our goal is to ensure that the

ServiceControl system deployment is complete and is configured to meet the customers

management needs.

Page 4

The GSB professional services bundle is available for a maximum of six hours of

professional services. Additional configuration or training is available as a billable

professional service.

Contact the Identity Maestro Team to place an order for a GSB.

Azure Marketplace Virtual Machines The Windows server virtual machines deployed from the Azure Marketplace are pre-configured to

meet the minimum system requirements to host an Identity Maestro server installation.

• Operating System: Choose between a Windows 2016 or Windows 2012 R2 server

virtual machine.

• Disk space:

• Mininum of 1 GB above OS requirements. 10+ GB recommended.

• Installation on a non-system drive is recommended.

• Memory: 2+ GB above OS requirements. If performing large bulk import from

CSV actions (500+ users records per bulk action), recommended is 4 GB+ above

OS requirements

• Processor: Intel or compatible (x64) - 2 core or higher recommended.

• Active Directory: Must be able to connect to an on-premise AD domain

controller using secure LDAP (port 636). Identity Maestro can work through Azure

VPN connections.

• .NET Framework:

• Minimum: .NET 4.6.1+ is required if connecting to on-premises Exchange

2013 CU14+.

• Windows Management Framework 4.0 (already installed by default with Windows

2012 and 2016).

• Windows Services: Contact Identity Maestro support for assistance with setting

this up.

• Azure Active Directory: Identity Maestro needs to establish a secure (tcp port

443) connection to the Azure AD / Office 365 subscription.

• Office 365 Support: The MSOnline support applications are installed.

Page 5

SSL Options The Windows host server and IIS websites hosted on that server need to be protected by

SSL certificates. Two options include:

□ Ensure that domain controllers have been been issued with certificates issued by a

Enterprise Certificate Authority.

OR

□ Ensure that SSL certificate(s) obtained from trusted public certificate authorities are

applied to the IIS default website hosted on the Identity Maestro server.

Firewall Settings Internal firewall settings need to be configured to permit standard TCP and UDP ports

between the Windows server hosting Identity Maestro and servers / web applications that

will be managed. Identity Maestro will be configured with connectors that will use various

web-enabled services and protocols to facilitate remote access and management. Here is

a typical list:

Port Protocol or Purpose

389 (tcp/udp)

636 (tcp/udp)

AD LDAP connection insecure/secure

3268 (tcp), 3269

(tcp)

LDAP GC, LDAP GC SSL

88 (tcp/udp) Kerberos

53 (tcp/udp) DNS resolution

137, 138 (udp)

139, 445 (tcp)

NetBIOS Browser

123 (tcp/udp) W32Time

80, 443 (tcp) Standard Web applications & Exchange connection insecure/secure

7190 (tcp) Identity Maestro connection agent port

135 (tcp) RPC + WMI connections for home folders

4000, 4002 (tcp) Workflow Center website, Azure AD Remote Agent website

1025 – 5000 (tcp) RCP dynamic

Page 6

Deploy an Azure Marketplace VM These steps describe deploying a Windows 2012 R2 server virtual machine that is prepared to host

Identity Maestro. We recommend deploying Identity Maestro into a sandbox environment for

evaluation purposes. For this documentation, a virtual machine will be deployed into an Azure

VNet that contains an Active Directory domain controller server.

To deploy an Azure Marketplace VM for Identity Maestro:

1. In Azure, select Virtual Machines and narrow your scope to the VNet you plan to deploy

the virtual machine into.

2. Select Add.

3. Select the Windows server platform. The Identity Maestro Server listing is for a Windows

2012 R2 platform.

4. Click the Create button.

Page 7

5. In Step 1 - Basics:

a. Provide a unique computer name.

b. Select HDD or SDD for a VM disk type.

c. Provide a suitable username. This will be a local administrator of the Windows

server.

d. Provide a strong unique password.

e. Select your subscription.

f. Use an existing or create a new Resource Group.

g. Scroll down.

h. Select your location.

i. Click OK.

Page 8

6. In Step 2 – Size select a size for the virtual machine. B2s is a good size to start with as it

has sufficient disk space, RAM and virtual CPUs that offers solid performance for website

users.

Page 9

7. In Step 3 – Settings:

a. For production servers, we recommend configuring high availability if available.

b. Define a new VNet or select an existing VNet.

c. Configure the desired subnet.

d. Accept the public IP address and network security group.

e. No extensions are required.

f. We recommend scheduling auto-shutdown for trial scenarios.

g. Choose to enable or disable monitoring.

h. Choose whether to manage the service identity.

i. Click OK.

Page 10

8. In Step 4 – Summary review the offer details and click Create.

9. Once the virtual machine, configure it to support RDP and ensure that Identity Maestro will

be able to create connections to an Active Directory domain controller and an Office 365

subscription. See the next section about Prepare Connection Service Accounts.

Notes:

1. Identity Maestro virtual machines available in the Azure Marketplace have been updated

with the CredSSP update. If you experience an issue with RDP to the virtual machine, ensure

that your local desktop is updated with the CredSSP update. See

https://support.microsoft.com/en-ca/help/4295591/credssp-encryption-oracle-remediation-

error-when-to-rdp-to-azure-vm for more information.

2. Look in the C:\Identity Maestro Get Started folder for the Identity Maestro installer and

documentation PDF guides.

Page 11

Prepare Connection Service Accounts Each target system needs a service user account that will be used to provide privileged

access to the target system. Prepare what is required for your environment.

Active Directory

Prepare an AD user account to use as a connection user service account for Identity

Maestro. This account will provide protected full administrative access to Active Directory.

□ Create a user in the “\Users” folder in the AD domain: Typical name could be

imconnect.

□ Add to the Domain Administrators group.

□ (If required) Add to the Enterprise Administrators and Organization

Management groups (required for managing Exchange On-Premise).

□ Set the account password to never expire.

If corporate security policy requires scheduled password changes, ensure that you

schedule a task to manually reset the password before it expires in AD. There is a

procedure that needs to be followed to reset the password in the various connection

end-points in Identity Maestro.

□ Ensure that the account is not affected by GPOs that will modify password

expiration.

Azure AD / Office 365

Prepare an Office 365 user account to use as a connection user service account for Identity

Maestro.

□ Create an Office 365 user account (that is not synced by Azure ADConnect) called

imconnect.

□ This account must be assigned the Global Administrator role in Office 365.

□ This account does not need to be licensed for any SKUs or service plans.

Page 12

Run the Identity Maestro Installer Follow these steps to install Identity Maestro.

1. In Windows Explorer navigate to the C:\Identity Maestro Get Started folder.

2. Right-click the IdentityMaestro-latest.exe application and choose to Run as

administrator.

3. In the User Account Control window, click Yes.

4. In the Welcome to the Install Shield Wizard for Identity Maestro window, click Next >.

5. In the License Agreement window, select the I accept the terms in the license option

and click Next >.

6. In the Custom Setup window, click Next >.

Note: Identity Maestro is configured to install to C:\Program Files (x86) into an \Omni parent

folder. This is fine for trial or evaluation scenarios. For production servers, it is recommended

that the install path be changed to a dedicated data volume instead of the system volume.

7. In the Logon Information window, provide the username and password that this installer

will create as a local user and assign to the local Administrators group. This username and

password should match the username and password as the AD connection user.

Page 13

8. In the Ready to Install the Program window, click Install.

9. In the InstallShield Wizard Complete window, select the Launch the configuration

wizard option and click Finish.

Apply SSL Certificates It is highly recommended that you complete the following work to protect the Identity Maestro

server. All of these actions are standard for IIS website management.

• In public DNS and the AD DNS server, configure A records for the following websites:

o Default website – e.g. manage.example.com

o Omni.WorkflowEngine website – e.g. workflowengine.example.com

o Azure AD Remote Agent website – e.g. azuread-ra.example.com

• Apply a public SSL certificate to the default website using host headers.

o Use URL redirection to enforce redirection from http:// to https:// (Optional)

o Configure public access to the Azure VM to use https:// only. Refer to Azure

documentation for steps.

• Apply an AD SSL certificate to the Omni.WorkflowEngine and Azure AD Remote Agent

websites using host headers.

o Restrict access to users of AD groups that you approve to have access to those

websites.

o Use URL redirection to enforce redirection from http:// to https:// (Optional)

o Restrict access to these websites to desktops in the same Azure VNet as the Identity

Maestro server, using RDP access to those desktops.

Page 14

Create and Test Identity Maestro Connections Use this procedure to create and test the Active Directory and Microsoft Online connections:

Create and Test the Active Directory Connection 1. In the Identity Maestro Connection Utility click the Microsoft Active Directory button.

2. In the Welcome window, click Next >.

3. In the Target Information window, provide the IP address for the Active Directory domain

controller, ensure that the port value is 636 and that the Enable SSL option is checked, and

click Next >.

4. In the Connection Details window, provide the universal principal name and password of

the Active Directory connection service account, and click Next >.

5. In the Conflict Hostname Detected window, click Yes.

Page 15

6. In the Detected Available Services window, click Next >.

7. In the Wizard Complete window, click Finish.

8. In the Connection Utility, double-click the Active Directory domain connection object.

Page 16

9. In the Connection Edit window, select the Connection Targets tab, select the ldap

connection and click the Test the connection target link.

10. In the Connection Successful window, click OK.

11. Select the Home Directories tab. Add the ip address of the home folder server and click

the Add link.

Page 17

12. Click the record in the Configured servers list and click the Test link. If an error window is

displayed indicating that the error is Unable to connect to the remote server, click OK.

This error indicates that the 32-bit ServiceControl Connection Agent is not running.

13. Open the Windows Services applet, locate the ServiceControl Connection Agent

services and start both services. Close or minimize the Windows Services applet window.

14. Click the record in the Configured servers list and click the Test link. In the Connection

successful window, click OK.

Page 18

15. Click Save >> to close the Connection Edit window.

Notes about Active Directory Connections 1. Identity Maestro connections for Active Directory must use secure LDAP (port 636).

2. Identity Maestro can support connecting to multiple Active Directory domains.

3. If connecting to an Active Directory domain controller hosted in an on-premise data center,

use the Azure persistent VPN technology to service secure connections between the Azure

VNet and the on-premise data center.

Create and Test Microsoft Online Connections 1. In the Connection Utility, click the Microsoft Online button to start the connection

wizard.

2. In the Welcome window, click Next >.

Page 19

3. In the Provide Azure AD Domain Name window, provide the email domain name for the

connection, the username (with a matching domain name) of the connection service

account and the password and click Next >.

4. In the Choose Local Domain Controller, select the AD domain and click Next >.

5. In the Configuration Results window, click Finish.

6. In the Connection Utility, double-click the Microsoft Online connection object.

22. In the Microsoft Online connection window, select the Remote Agent tab.

23. Click the 1. Update Remote Agent button.

If an SSL certificate has been applied to the Azure Remote Agent website, use the DNS host

name and port 443, e.g. azuread-ra.example.com port 443 and click the https option.

Page 20

24. If the Agent Status reports update has succeeded, click the 2. Test AAD Connection

button.

25. If the Agent Status reports Connection successful, click the 3. Update Agent in WE

button.

26. Click Save >> to close the connection window.

Notes about Microsoft Online Connections 1. Each Azure AD / Office 365 connection must be related to an Active Directory connection.

Identity Maestro cannot connect to and manage Azure AD as a primary directory.

2. If an Azure AD / Office 365 supports multiple email domain names, you need to create a

connection service account for each domain name, and you must create an Identity

Maestro connection for each domain name. For example, if you have some users with

@example.com email domains and some users with @sample.com email domain names,

create a connection service account for each, e.g. imconnect@example.com and

imconnect@sample.com, and create a connection for each email domain name.

3. Identity Maestro will only manage users in Azure AD / Office 365 based on email domain

names.

4. Identity Maestro can connect to multiple Azure AD / Office 365 subscription instances.

Identity Maestro connections must be created for each domain name being services by

each subscription.

5. Azure license profiles must be created for each connection.

Page 21

Precompile the Identity Maestro Websites. To really improve performance, all the Default Web Site files can be pre-compiled and stored in

the IIS cache. Pre-compiling all website files means that the user should not experience delays of

more than 2 seconds for any page view.

Refer to How to Precompile Identity Maestro Websites Immediately After Installation for the steps

to perform this procedure. Run the Setup Wizard The next step is to access the Identity Maestro server website and run the Setup Wizard.

1. Open a web browser to http://localhost. Note that Identity Maestro works best with Firefox

and Chrome web browsers which come pre-installed in the Azure Marketplace VM.

2. At the login screen, provide the username and password that you provided during the

installation.

3. At the Welcome to Identity Maestro screen, click START.

4. At the Step 1 – Choose the Primary System screen, click Next >.

5. At the Step 2 – Select a System or Container screen, click the browse icon to the right of

the Container field.

6. In the Identity Maestro Directory Browser window, select the domain name and click OK.

7. In the Step 2 – Select a System or Container screen, ensure that the domain name is

visible in the Container field and click Next >.

Page 22

8. At the Step 3 – Summary screen, click Next >.

9. At the Step 4 – Confirmation window, make note of the usernames and passwords that

Identity Maestro created. You will need those for access as the IM test user accounts.

10. At the Step 5 – Setup Complete screen, click Finish.

11. Identity Maestro will become visible in the browser window and display a licenses expired

warning. Click the ADMINISTRATION menu option.

Page 23

12. Click the OPTIONS drop-down menu button (top right) and select Delegated

Administration.

13. In the Administration Panel Access screen, click the Add button.

14. In the Add Group window, click the browse icon to the right of the Group or Container

field.

15. In the Identity Maestro Directory Browser window, navigate to the Identity Maestro

container and select the IM Admin Roles group, and click OK.

Page 24

16. In the Add Group window, ensure that the IM Admins Role group is displayed in the

Group or Container field, and click Accept.

17. In the Administration Panel Access window, ensure that the IM Admins Role is visible in

the group list box.

18. Click the OPTIONS drop-down menu button and click Apply Settings. This will save and

apply the IM Admins Role group as the Delegated Administrators for this Identity Maestro

server.

Page 25

19. Click the OPTIONS drop-down menu button and click Licenses.

20. In the Licensing panel, select the Request License tab. Complete the form and click

Submit.

Page 26

21. The Identity Maestro will submit a license request to the online license service. Licenses are

approved Monday to Friday, between 9 am and 4:30 pm (Mountain US & Canada). It can

take one working day for a license request to be approved.

22. Once a license request is approved, you will receive an email with a .license file attached.

Save a copy of the license file to the local C: drive of the Identity Maestro server.

23. Login to the Identity Maestro server (if required).

24. In the Licensing panel, select the Upload License tab.

25. Click the Select button. Navigate to the location where a copy of the license file is

available, select the file and click Open.

26. Ensure that the license file name is visible in the Please select licence file field, and click

Upload.

27. Click the OPTIONS drop-down menu button and click Apply Settings. This will save and

apply the license to the Identity Maestro server. The Details page will be automatically

displayed.

28. Click the OPTIONS drop-down menu button and click Logout.

Page 27

Create Azure License Profiles Identity Maestro includes a MMC plug-in to create an Azure License Profile Manager utility. This

procedure will activate the plug-in, build a MMC utility and create two license profiles.

Activate the MMC Plug-in 1. Use Windows Explorer to navigate to [install

path]\Omni\IdentityMaestro\WorkflowEngine\RemoteAgents\Omni.RA.Microsoft.Az

ureAD.Agent\MMC

2. Right-click the Omni.RA.Microsoft.AzureAD.MMC.exe file and select Run as

administrator.

3. In the User Access Control window, click Yes.

4. In the Install / Uninstall MMC Snap-in application, click Install.

5. Confirm that Is Snap-in installed is checked, and Close the application.

Create the MMC Utility 1. Launch MMC using Run as administrator.

2. In the MMC Console1 window, select File > Add/Remove Snap-in.

3. Select the Remote Agent for Azure Active Directory from the Available snap-ins list

and click the Add button.

Page 28

4. In the Connect to Remote Agent window, click the Test Connection to Remote Agent

button. You do not have to provide any login credentials as the connection uses a security

token.

5. Confirm that the connection test confirms that the connection is working, and click OK.

6. Confirm that the Remote Agent for Azure AD is in the Selected snap-ins list, and click

OK.

7. In the MMC Console1 window, select File > Save as and save this console to the Desktop

as Azure License Profile Manager.

Page 29

Create License Profiles 1. In the MMC Console1 window, you will see a navigation pane (left), a details pane (Center),

and an Actions pane (right). You need to right click the Remote Agent for Azure AD

node to expand the navigation.

2. Expand the Remote Agent connection and the refresh AD domain node(s).

3. Expand the AD domain connection and refresh the Licensing node.

4. Click the Licensing node and click the Create New Licensing Profile in the Actions pane.

5. In the Create New Licensing Profile window, provide a profile name (must be lower

case) and click Create Profile and Close.

Page 30

6. Use the same steps to create a second profile (optional). In our examples, we create a staff

and contractors profile, each get configured with different applications (service plans).

7. In the Details pane, there is a grid that displays each application included in the total of all

the license SKUs combined together. Click the first application (Azure documentation

refers to these as service plans). Each SKU has a dedicated tab that is used and the current

license count information is displayed in the top left.

Each license profile has a dedicated column. To disable an application, remove the

checkmark for the application in the column of the license profile.

Page 31

If all the applications of a license SKU are disabled (unchecked), Identity Maestro will not

assign a license count for that SKU when assigning license SKUs and applications to Azure

AD users assigned to that license profile.

8. Once all the license profiles are configured with enabled applications, ensure that you

select the Update All Profiles option in the Actions panel.

9. Select File > Save as to ensure that all changes have been saved to the MMC console.

10. IMPORTANT: Reset the IIS server to ensure that the license profiles are loaded into the

Remote Agent server and the Identity Maestro server.

Page 32

Reset Passwords for the Identity Maestro Role Users Let’s take a quick look at the users and groups that Identity Maestro created in the Active

Directory domain.

1. Login in as imadmin password Demo!2345678.

2. The Operator Panel will display the default menu and the Manage module page. In the

Manage module, you can search for objects or browse the Directory for objects. If you add

ima to the Object Name field and click Search, Identity Maestro will search for and display

all users, groups and contacts that contain the character string ima in the object name.

3. Select the Browse tab. Expand the domain name and the Identity Maestro container.

Click on the Identity Maestro container. Users, contacts and groups in that container will

be displayed.

Notice that you cannot see any other AD containers. Identity Maestro installs in a sandbox

mode with pre-configured Identity Maestro Roles, with corresponding access controls limited

to the Identity Maestro container only. This permits administrators to learn what Identity

Maestro can do before enabling access to other containers in the AD domain.

Page 33

4. If you click the Username column header, it will sort the list by username and in this

instance list all the users together in alphabetical order by username. You can right click

the imadmin user and select Reset Password to reset the user password to a different

value.

5. You can also bulk reset the password for multiple users. In this case if you use Shift +

Click to select all the im users except imadmin, then right-click the list and select Reset

Password to reset the user password for all those users to a new common password.

6. Choose Specify password, type in a value and click Reset.

Page 34

7. Identity Maestro will confirm the password changes. You can even export a list of

usernames and passwords (optional). Click Close.

Page 35

Configure Office 365 Custom Tasks There is some configuration work that needs to be done in various Manage custom tasks to ensure

that O365 custom tasks will use the Office 365 email domain.

1. Select ADMINISTRATION in the main menu.

2. Identity Maestro will display Step 2 in the Manage module by default. This displays the

four IM Roles that are configured.

3. We need to set the email domain name and license profile in some of the O365 custom

tasks. Click Step 5: Configure Custom Tasks.

4. Select the O365 Apply License Profile task, select the Form Fields tab, and select the

O365 License Profile field.

5. In the Details pane, add Staff Profile to the Display Text field and staff to the Value field.

Click the Add button to add this option to the Values list.

Page 36

6. Add Contractors Profile to the Display text field and contractors to the Value field, and

click Add to add this to the Values list.

7. Select the Profile Name | profile selection in the Values list and click the X button to

remove it from the Values list.

8. Confirm that only staff and contractors are in the Values list and Save this change.

Page 37

Note: In Identity Maestro, you must Save your changes before changing focus to a different

field or moving to a different form or page view, otherwise all your work will be lost. The

Save option writes the changes to the applicable .config files. OPTIONS > Apply Settings

will load the modified .config files into IIS server cache and apply them to the Identity

Maestro websites without requiring an IISRESET.

9. Select the O365 Usage Location field. This field is used to assign a location value to the

Office 365 user when applying a license profile. This field uses a plain text label to

represent the country, e.g. Canada and the ISO country abbreviation, e.g. CA. If you want

to add a new location, type in the Country Name in the Display text field and the ISO

country abbreviation to the Values field, and click Add to add the selection to the Values

list.

If you add one or more countries to this list, click Save.

10. Choose OPTIONS > Apply Settings to all changes to the O365 Apply License Profile.

11. Select the O365 Provision User custom task, select the Form Fields tab, and

12. Repeat steps 4 to 9 to set corresponding values to the same O365 License Profile and

O365 Usage Location fields.

13. Expand the O365 User Contact Info section and select the O365 Email Autocomplete

field. Click the edit icon beside the Pattern option field.

Page 38

14. In the Autocomplete Pattern Builder window, add the email domain name for your Office

365 email subscription (e.g. @democotest.com) and click Add segment.

15. In the Pattern segments section, select the Seperator ‘@emaildomainname segment

that you just created. Click the Move Up button until you mode the segment so that it is

above the Seperator ‘@example.com’ segment.

Page 39

16. Select the Seperator ‘@example.com’ segment and click the Remove button.

17. Confirm that the Seperator ‘@example.com’ segment is not visible in the Pattern

segments list and click Save.

18. Confirm that the configured domain name is now visible in the pattern.

19. Select OPTIONS > Apply Settings to save the changes and activate them in the Identity

Maestro website.

Page 40

Check and Configure Tasks Assignments There is some configuration work that needs to be done in various Manage custom tasks to ensure

that O365 custom tasks will use the Office 365 email domain.

1. In the MANAGE module, select Step 2: Assign Groups to Tasks.

2. Select the Identity Maestro\IM Admins Role assignment.

3. Confirm that the Search Contexts tab is selected and confirm that the scope is properly

defined.

This is how you confirm the scope (search context).

System ID specifies the name of the target system. In this example it is an AD domain

called democotest.com.

Path defines the top level OU container that starts the search scope. This defines that users

assigned to this task assignment can search objects in the Identity Maestro container.

Binoculars column is displaying an org chart icon that designates that search is permitted

in this OU container and all child OU containers.

X column would define this search context as an excluded OU container. This can be used

to define a child container to the parent OU container as an excluded container for search.

Folder with magnifying glass column indicates that the Browse feature is enabled for this

search context.

Page 41

Pencil icon is used to edit this search context.

Trash can icon is used to delete the search context.

A minimum of one search context must be defined for a task assignment, otherwise it will not

work.

4. Select the Mail Stores tab.

5. Check the check boxes for the Enabled column. This is required to permit management of

mailbox servers including Office 365 mailboxes that are related to the defined target system.

Checking Deny applies an explicit deny that over-rides all Enabled selections in any task

assignment that is assigned to the users in the Group Members for this assignment. Be

careful when applying this assignment as it is difficult to troubleshoot a Deny.

6. Select the Group Members tab to confirm which users will be assigned to this task

assignment.

7. Save your changes to the Mail Stores.

8. Repeat steps 3 to 7 for the rest of the task assignments:

Page 42

Configure Office 365 Create User Forms The Setup Wizard installed a set of create form templates which are all labelled with (Template) in

the form name. It also created a set of create forms that will be used for the Sample OU that is

part of the “sandbox” setup. The Setup Wizard also added create profiles that use the Sample

create forms.

Create Forms are the forms that collect information that will be used to create a new user, group

or contact object. You normally add create forms to cover unique differences between types of users.

Create Profiles is what relates a create form to a create workflow. Users are assigned to a create

profile which will enable the create module for that user and displays the create form for them to

use. You normally build create forms to create users in different OU containers or to add them to

different groups during the create process.

There is some work that needs to be done in the Office 365 user create form(s) to ensure that

Identity Maestro configuration will match your Office 365 email domain.

Modify the User Create Forms for Hybrid Environments Use this procedure if your AD domain IS being synced with your Office 365 subscription using

ADCONNECT. Use this procedure for the AD and Hybrid O365 User (Template) form and the

Sample AD and O365 User (Hybrid) form.

In this scenario, ADCONNECT will automatically create the user in Azure AD and copy the user

contact information from AD on-premise to Azure AD. In reality, all Identity Maestro has to do is

create a user in the domain containers that are in-scope for the ADCONNECT service. Once the user

is created in Azure AD, administrators can use the MANAGE > O365 Apply License Profile task to

license the user in Office 365.

1. In the ADMINISTRATION panel, select the CREATE menu option.

2. In Step 1 – Configure Create Forms select the AD and Hybrid O365 User (Template) or

the Sample AD and O365 User (Hybrid) create form.

Page 43

This create form is designed to support environments where ADCONNECT are being used to sync

data between the on-premise AD domain and the Office 365 subscription instance. The form needs

to provide sufficient details so that the new user will be properly synced by ADCONNECT.

3. Select the Email Address field.

Notice that the Pattern uses @example.com as the domain name. This needs to be changed to use

the actual email domain name.

4. Click the edit icon next to the Pattern field.

5. In the Autocomplete Pattern Builder window, add your email domain (e.g.

@democotest.com) to the Separator field and click Add Segment.

Page 44

6. In the Pattern segments list, select your email domain (e.g. Separator

‘@democotest.com’) and click the Move button until the entry is immediately above the

Separator ‘@example.com’ entry.

7. Select the Separator ‘@example.com’ entry and click the Remove button.

8. Click Save to save the settings and close the pattern builder window.

9. Confirm that the Pattern now displays your email domain.

10. Click Save to save the changes.

11. Select OPTIONS >Apply Settings to apply the changes to the create profile and form.

Page 45

Modify the User Create Forms for Disconnected Environments Use this procedure if your AD domain IS NOT being synced with your Office 365 subscription

using ADCONNECT. We refer to this as a Disconnected Scenario. Use this procedure for the AD

and O365 User (Template) form and the Sample AD and O365 User form.

In this scenario, Identity Maestro will run a workflow that will create an Azure AD user that is a copy

of the AD user that is being created. In this scenario, the create form includes form fields that copies

field values from the new on-premise AD user into fields that will be used to create the

corresponding Azure AD user. In addition, this form includes defining the Azure license profiles and

the Azure Usage Location values.

1. In the ADMINISTRATION panel, select the CREATE menu option.

2. Select Step 1 – Configure Create Forms.

3. Select the AD and O365 User (Template) form or the Sample AD and O365 User form.

4. In the Fields column, expand the Personal Information section and select the Office 365

Email field.

Notice that the Pattern uses @example.com as the domain name. This needs to be changed to use

the actual email domain name.

5. Click the edit icon next to the Pattern field.

6. In the Autocomplete Pattern Builder window, add your email domain (e.g.

@democotest.com) to the Separator field and click Add Segment.

Page 46

7. In the Pattern segments list, select your email domain

(e.g. Separator ‘@democotest.com’) and click the Move button until the entry is

immediately above the Separator ‘@example.com’ entry.

8. Select the Separator ‘@example.com’ entry and click the Remove button.

9. Click Save to save the settings and close the pattern builder window.

10. Confirm that the Pattern now displays your email domain.

11. Click Save to save the changes.

Now we need to set the Office 365 license options to match the license profiles you built previously,

and to set the correct list of countries for the Usage Location field.

Page 47

12. Expand the Office 365 License section and select the License Profile field.

13. Add values for the Display text and Value fields for each license profile (e.g. Display text:

Staff Profile and Value of staff.

The Display text is what will display in the drop-down for this field while the Value is the

actual name of the license profile that was defined in the Azure License Profile Manager (see

Create License Profiles). The Value must be all lower case letters.

14. Once all of the license profiles have been added, select the profilename | Profile Name

from MMC listing and click the X button to remove that from the list.

Page 48

15. Click Save to save the changes.

16. Select the Usage Location field. This field contains values for Canada and the United States.

The Display Text is the value that will be displayed in the drop-down while the Value must

be the ISO country abbreviation.

17. (Optional) To add an additional country, add a valid Country (e.g. United Kingdom | UK).

Page 49

18. Click Save to save the changes.

19. Select OPTIONS >Apply Settings to apply the changes to the create profile and form.

This completes all the required changes. Feel free to examine all the create forms and create

profiles and make any adjustments to match your environment.

Proprietary and Confidential Information of Amdocs Page 20

Identity Maestro has offices, development and support centers

worldwide, including sites in:

Headquarters

103, 10301 – 109 Street

Edmonton, Alberta T5J 1N4

Canada

Email: info@identitymaestro.com

Twitter: @IdentityMeastro

Phone: +1 408.675.5020

Fax: +1 780.423.4711

Regional Offices

Identity Maestro Europe

Kreitstrasse 5 86926

Greifenberg/Munich

Germany

Phone: +49.8192.99733.25

emea@Identity Maestro.com

Identity Maestro USA

440 North Wolfe Road

Sunnyvale, CA 94085

USA

Phone: +1 408.675.5020

info@identitymaestro.com

For the most up-to-date contact information for all Identity Maestro offices

worldwide,please visit our website at www.identitymaestro.com/contact