Setup Identity Maestro
On Azure Marketplace Virtual Machines
Identity Maestro is a simpler way for busy network and IT administrators to delegate user identity management and privileged access management tasks to front line staff using a powerful web portal tool. This guide provides details about how to install Identity Maestro, run the Setup Wizard and finish customizing custom tasks and create forms to support your email domain hosted in Azure AD and Office 365.
Issued July 2018
Page 2
Contents Welcome to this guide ............................................................................... 3
How to Get Help ...................................................................................... 3
Schedule a Get Started Bundle ..................................................................... 3
Azure Marketplace Virtual Machines .............................................................. 4
SSL Options............................................................................................. 5
Firewall Settings ...................................................................................... 5
Deploy an Azure Marketplace VM .................................................................. 6
Prepare Connection Service Accounts............................................................ 11
Active Directory .................................................................................................................. 11 Azure AD / Office 365 ......................................................................................................... 11
Run the Identity Maestro Installer ................................................................ 12
Apply SSL Certificates ............................................................................... 13
Create and Test Identity Maestro Connections ................................................. 14
Create and Test the Active Directory Connection ................................................................. 14 Notes about Active Directory Connections ........................................................................... 18 Create and Test Microsoft Online Connections .................................................................... 18 Notes about Microsoft Online Connections .......................................................................... 20
Precompile the Identity Maestro Websites. ..................................................... 21
Run the Setup Wizard ............................................................................... 21
Create Azure License Profiles ..................................................................... 27
Activate the MMC Plug-in ................................................................................................... 27 Create the MMC Utility........................................................................................................ 27 Create License Profiles....................................................................................................... 29
Reset Passwords for the Identity Maestro Role Users ......................................... 32
Configure Office 365 Custom Tasks ............................................................... 35
Check and Configure Tasks Assignments ......................................................... 40
Configure Office 365 Create User Forms ........................................................ 42
Modify the User Create Forms for Hybrid Environments ....................................................... 42 Modify the User Create Forms for Disconnected Environments ............................................ 45
Page 3
Welcome to this guide Welcome to this Setup Guide. This guide is for experienced IT staff who will install,
configure and manage an Identity Maestro server in an Azure subscription. This guide is
written for individuals with expertise with deploying Azure virtual machines, Azure VNets,
Azure VPNs and other security and administration tasks.
This guide is based on the 4.0.5 release of Identity Maestro and the focus is supporting
Active Directory on-premise environments that need to manage users in Azure Active
Directory and Office 365.
Please refer to the following online sources of information on this release:
• Identity Maestro 4 – Latest Release Notice
• Identity Maestro 4.0.5 Release Notes
• How to Upgrade Identity Maestro to the Latest Public Release
Identity Maestro needs to connect to an on-premise Active Directory domain in order to
manage Azure Active Directory.
Identity Maestro supports two Azure AD / Office 365 integration scenarios:
• Disconnected Mode – for those environments that do not use Azure AD Connect
to sync AD on-premise with Azure AD. Identity Maestro supports this mode for
user accounts only. Managing contacts and groups in Office 365 is not supported
at this time.
• Hybrid Mode – for environments that use Azure AD Connect or ADFS to sync AD
on-premise with Azure AD. In this mode, all changes made to AD on-premise
users, contacts and groups will sync to Azure AD and Office 365.
How to Get Help If you need assistance during an installation and setup of an Identity Maestro server,
contact the Identity Maestro Support Team.
Schedule a Get Started Bundle The Get Started Bundle (GSB) provides a structured installation and configuration of an
Identity Maestro server and connection agents in a customer’s environment by an Identity
Maestro Professional Services Team member. Our goal is to ensure that the
ServiceControl system deployment is complete and is configured to meet the customers
management needs.
Page 4
The GSB professional services bundle is available for a maximum of six hours of
professional services. Additional configuration or training is available as a billable
professional service.
Contact the Identity Maestro Team to place an order for a GSB.
Azure Marketplace Virtual Machines The Windows server virtual machines deployed from the Azure Marketplace are pre-configured to
meet the minimum system requirements to host an Identity Maestro server installation.
• Operating System: Choose between a Windows 2016 or Windows 2012 R2 server
virtual machine.
• Disk space:
• Mininum of 1 GB above OS requirements. 10+ GB recommended.
• Installation on a non-system drive is recommended.
• Memory: 2+ GB above OS requirements. If performing large bulk import from
CSV actions (500+ users records per bulk action), recommended is 4 GB+ above
OS requirements
• Processor: Intel or compatible (x64) - 2 core or higher recommended.
• Active Directory: Must be able to connect to an on-premise AD domain
controller using secure LDAP (port 636). Identity Maestro can work through Azure
VPN connections.
• .NET Framework:
• Minimum: .NET 4.6.1+ is required if connecting to on-premises Exchange
2013 CU14+.
• Windows Management Framework 4.0 (already installed by default with Windows
2012 and 2016).
• Windows Services: Contact Identity Maestro support for assistance with setting
this up.
• Azure Active Directory: Identity Maestro needs to establish a secure (tcp port
443) connection to the Azure AD / Office 365 subscription.
• Office 365 Support: The MSOnline support applications are installed.
Page 5
SSL Options The Windows host server and IIS websites hosted on that server need to be protected by
SSL certificates. Two options include:
□ Ensure that domain controllers have been been issued with certificates issued by a
Enterprise Certificate Authority.
OR
□ Ensure that SSL certificate(s) obtained from trusted public certificate authorities are
applied to the IIS default website hosted on the Identity Maestro server.
Firewall Settings Internal firewall settings need to be configured to permit standard TCP and UDP ports
between the Windows server hosting Identity Maestro and servers / web applications that
will be managed. Identity Maestro will be configured with connectors that will use various
web-enabled services and protocols to facilitate remote access and management. Here is
a typical list:
Port Protocol or Purpose
389 (tcp/udp)
636 (tcp/udp)
AD LDAP connection insecure/secure
3268 (tcp), 3269
(tcp)
LDAP GC, LDAP GC SSL
88 (tcp/udp) Kerberos
53 (tcp/udp) DNS resolution
137, 138 (udp)
139, 445 (tcp)
NetBIOS Browser
123 (tcp/udp) W32Time
80, 443 (tcp) Standard Web applications & Exchange connection insecure/secure
7190 (tcp) Identity Maestro connection agent port
135 (tcp) RPC + WMI connections for home folders
4000, 4002 (tcp) Workflow Center website, Azure AD Remote Agent website
1025 – 5000 (tcp) RCP dynamic
Page 6
Deploy an Azure Marketplace VM These steps describe deploying a Windows 2012 R2 server virtual machine that is prepared to host
Identity Maestro. We recommend deploying Identity Maestro into a sandbox environment for
evaluation purposes. For this documentation, a virtual machine will be deployed into an Azure
VNet that contains an Active Directory domain controller server.
To deploy an Azure Marketplace VM for Identity Maestro:
1. In Azure, select Virtual Machines and narrow your scope to the VNet you plan to deploy
the virtual machine into.
2. Select Add.
3. Select the Windows server platform. The Identity Maestro Server listing is for a Windows
2012 R2 platform.
4. Click the Create button.
Page 7
5. In Step 1 - Basics:
a. Provide a unique computer name.
b. Select HDD or SDD for a VM disk type.
c. Provide a suitable username. This will be a local administrator of the Windows
server.
d. Provide a strong unique password.
e. Select your subscription.
f. Use an existing or create a new Resource Group.
g. Scroll down.
h. Select your location.
i. Click OK.
Page 8
6. In Step 2 – Size select a size for the virtual machine. B2s is a good size to start with as it
has sufficient disk space, RAM and virtual CPUs that offers solid performance for website
users.
Page 9
7. In Step 3 – Settings:
a. For production servers, we recommend configuring high availability if available.
b. Define a new VNet or select an existing VNet.
c. Configure the desired subnet.
d. Accept the public IP address and network security group.
e. No extensions are required.
f. We recommend scheduling auto-shutdown for trial scenarios.
g. Choose to enable or disable monitoring.
h. Choose whether to manage the service identity.
i. Click OK.
Page 10
8. In Step 4 – Summary review the offer details and click Create.
9. Once the virtual machine, configure it to support RDP and ensure that Identity Maestro will
be able to create connections to an Active Directory domain controller and an Office 365
subscription. See the next section about Prepare Connection Service Accounts.
Notes:
1. Identity Maestro virtual machines available in the Azure Marketplace have been updated
with the CredSSP update. If you experience an issue with RDP to the virtual machine, ensure
that your local desktop is updated with the CredSSP update. See
https://support.microsoft.com/en-ca/help/4295591/credssp-encryption-oracle-remediation-
error-when-to-rdp-to-azure-vm for more information.
2. Look in the C:\Identity Maestro Get Started folder for the Identity Maestro installer and
documentation PDF guides.
Page 11
Prepare Connection Service Accounts Each target system needs a service user account that will be used to provide privileged
access to the target system. Prepare what is required for your environment.
Active Directory
Prepare an AD user account to use as a connection user service account for Identity
Maestro. This account will provide protected full administrative access to Active Directory.
□ Create a user in the “\Users” folder in the AD domain: Typical name could be
imconnect.
□ Add to the Domain Administrators group.
□ (If required) Add to the Enterprise Administrators and Organization
Management groups (required for managing Exchange On-Premise).
□ Set the account password to never expire.
If corporate security policy requires scheduled password changes, ensure that you
schedule a task to manually reset the password before it expires in AD. There is a
procedure that needs to be followed to reset the password in the various connection
end-points in Identity Maestro.
□ Ensure that the account is not affected by GPOs that will modify password
expiration.
Azure AD / Office 365
Prepare an Office 365 user account to use as a connection user service account for Identity
Maestro.
□ Create an Office 365 user account (that is not synced by Azure ADConnect) called
imconnect.
□ This account must be assigned the Global Administrator role in Office 365.
□ This account does not need to be licensed for any SKUs or service plans.
Page 12
Run the Identity Maestro Installer Follow these steps to install Identity Maestro.
1. In Windows Explorer navigate to the C:\Identity Maestro Get Started folder.
2. Right-click the IdentityMaestro-latest.exe application and choose to Run as
administrator.
3. In the User Account Control window, click Yes.
4. In the Welcome to the Install Shield Wizard for Identity Maestro window, click Next >.
5. In the License Agreement window, select the I accept the terms in the license option
and click Next >.
6. In the Custom Setup window, click Next >.
Note: Identity Maestro is configured to install to C:\Program Files (x86) into an \Omni parent
folder. This is fine for trial or evaluation scenarios. For production servers, it is recommended
that the install path be changed to a dedicated data volume instead of the system volume.
7. In the Logon Information window, provide the username and password that this installer
will create as a local user and assign to the local Administrators group. This username and
password should match the username and password as the AD connection user.
Page 13
8. In the Ready to Install the Program window, click Install.
9. In the InstallShield Wizard Complete window, select the Launch the configuration
wizard option and click Finish.
Apply SSL Certificates It is highly recommended that you complete the following work to protect the Identity Maestro
server. All of these actions are standard for IIS website management.
• In public DNS and the AD DNS server, configure A records for the following websites:
o Default website – e.g. manage.example.com
o Omni.WorkflowEngine website – e.g. workflowengine.example.com
o Azure AD Remote Agent website – e.g. azuread-ra.example.com
• Apply a public SSL certificate to the default website using host headers.
o Use URL redirection to enforce redirection from http:// to https:// (Optional)
o Configure public access to the Azure VM to use https:// only. Refer to Azure
documentation for steps.
• Apply an AD SSL certificate to the Omni.WorkflowEngine and Azure AD Remote Agent
websites using host headers.
o Restrict access to users of AD groups that you approve to have access to those
websites.
o Use URL redirection to enforce redirection from http:// to https:// (Optional)
o Restrict access to these websites to desktops in the same Azure VNet as the Identity
Maestro server, using RDP access to those desktops.
Page 14
Create and Test Identity Maestro Connections Use this procedure to create and test the Active Directory and Microsoft Online connections:
Create and Test the Active Directory Connection 1. In the Identity Maestro Connection Utility click the Microsoft Active Directory button.
2. In the Welcome window, click Next >.
3. In the Target Information window, provide the IP address for the Active Directory domain
controller, ensure that the port value is 636 and that the Enable SSL option is checked, and
click Next >.
4. In the Connection Details window, provide the universal principal name and password of
the Active Directory connection service account, and click Next >.
5. In the Conflict Hostname Detected window, click Yes.
Page 15
6. In the Detected Available Services window, click Next >.
7. In the Wizard Complete window, click Finish.
8. In the Connection Utility, double-click the Active Directory domain connection object.
Page 16
9. In the Connection Edit window, select the Connection Targets tab, select the ldap
connection and click the Test the connection target link.
10. In the Connection Successful window, click OK.
11. Select the Home Directories tab. Add the ip address of the home folder server and click
the Add link.
Page 17
12. Click the record in the Configured servers list and click the Test link. If an error window is
displayed indicating that the error is Unable to connect to the remote server, click OK.
This error indicates that the 32-bit ServiceControl Connection Agent is not running.
13. Open the Windows Services applet, locate the ServiceControl Connection Agent
services and start both services. Close or minimize the Windows Services applet window.
14. Click the record in the Configured servers list and click the Test link. In the Connection
successful window, click OK.
Page 18
15. Click Save >> to close the Connection Edit window.
Notes about Active Directory Connections 1. Identity Maestro connections for Active Directory must use secure LDAP (port 636).
2. Identity Maestro can support connecting to multiple Active Directory domains.
3. If connecting to an Active Directory domain controller hosted in an on-premise data center,
use the Azure persistent VPN technology to service secure connections between the Azure
VNet and the on-premise data center.
Create and Test Microsoft Online Connections 1. In the Connection Utility, click the Microsoft Online button to start the connection
wizard.
2. In the Welcome window, click Next >.
Page 19
3. In the Provide Azure AD Domain Name window, provide the email domain name for the
connection, the username (with a matching domain name) of the connection service
account and the password and click Next >.
4. In the Choose Local Domain Controller, select the AD domain and click Next >.
5. In the Configuration Results window, click Finish.
6. In the Connection Utility, double-click the Microsoft Online connection object.
22. In the Microsoft Online connection window, select the Remote Agent tab.
23. Click the 1. Update Remote Agent button.
If an SSL certificate has been applied to the Azure Remote Agent website, use the DNS host
name and port 443, e.g. azuread-ra.example.com port 443 and click the https option.
Page 20
24. If the Agent Status reports update has succeeded, click the 2. Test AAD Connection
button.
25. If the Agent Status reports Connection successful, click the 3. Update Agent in WE
button.
26. Click Save >> to close the connection window.
Notes about Microsoft Online Connections 1. Each Azure AD / Office 365 connection must be related to an Active Directory connection.
Identity Maestro cannot connect to and manage Azure AD as a primary directory.
2. If an Azure AD / Office 365 supports multiple email domain names, you need to create a
connection service account for each domain name, and you must create an Identity
Maestro connection for each domain name. For example, if you have some users with
@example.com email domains and some users with @sample.com email domain names,
create a connection service account for each, e.g. [email protected] and
[email protected], and create a connection for each email domain name.
3. Identity Maestro will only manage users in Azure AD / Office 365 based on email domain
names.
4. Identity Maestro can connect to multiple Azure AD / Office 365 subscription instances.
Identity Maestro connections must be created for each domain name being services by
each subscription.
5. Azure license profiles must be created for each connection.
Page 21
Precompile the Identity Maestro Websites. To really improve performance, all the Default Web Site files can be pre-compiled and stored in
the IIS cache. Pre-compiling all website files means that the user should not experience delays of
more than 2 seconds for any page view.
Refer to How to Precompile Identity Maestro Websites Immediately After Installation for the steps
to perform this procedure. Run the Setup Wizard The next step is to access the Identity Maestro server website and run the Setup Wizard.
1. Open a web browser to http://localhost. Note that Identity Maestro works best with Firefox
and Chrome web browsers which come pre-installed in the Azure Marketplace VM.
2. At the login screen, provide the username and password that you provided during the
installation.
3. At the Welcome to Identity Maestro screen, click START.
4. At the Step 1 – Choose the Primary System screen, click Next >.
5. At the Step 2 – Select a System or Container screen, click the browse icon to the right of
the Container field.
6. In the Identity Maestro Directory Browser window, select the domain name and click OK.
7. In the Step 2 – Select a System or Container screen, ensure that the domain name is
visible in the Container field and click Next >.
Page 22
8. At the Step 3 – Summary screen, click Next >.
9. At the Step 4 – Confirmation window, make note of the usernames and passwords that
Identity Maestro created. You will need those for access as the IM test user accounts.
10. At the Step 5 – Setup Complete screen, click Finish.
11. Identity Maestro will become visible in the browser window and display a licenses expired
warning. Click the ADMINISTRATION menu option.
Page 23
12. Click the OPTIONS drop-down menu button (top right) and select Delegated
Administration.
13. In the Administration Panel Access screen, click the Add button.
14. In the Add Group window, click the browse icon to the right of the Group or Container
field.
15. In the Identity Maestro Directory Browser window, navigate to the Identity Maestro
container and select the IM Admin Roles group, and click OK.
Page 24
16. In the Add Group window, ensure that the IM Admins Role group is displayed in the
Group or Container field, and click Accept.
17. In the Administration Panel Access window, ensure that the IM Admins Role is visible in
the group list box.
18. Click the OPTIONS drop-down menu button and click Apply Settings. This will save and
apply the IM Admins Role group as the Delegated Administrators for this Identity Maestro
server.
Page 25
19. Click the OPTIONS drop-down menu button and click Licenses.
20. In the Licensing panel, select the Request License tab. Complete the form and click
Submit.
Page 26
21. The Identity Maestro will submit a license request to the online license service. Licenses are
approved Monday to Friday, between 9 am and 4:30 pm (Mountain US & Canada). It can
take one working day for a license request to be approved.
22. Once a license request is approved, you will receive an email with a .license file attached.
Save a copy of the license file to the local C: drive of the Identity Maestro server.
23. Login to the Identity Maestro server (if required).
24. In the Licensing panel, select the Upload License tab.
25. Click the Select button. Navigate to the location where a copy of the license file is
available, select the file and click Open.
26. Ensure that the license file name is visible in the Please select licence file field, and click
Upload.
27. Click the OPTIONS drop-down menu button and click Apply Settings. This will save and
apply the license to the Identity Maestro server. The Details page will be automatically
displayed.
28. Click the OPTIONS drop-down menu button and click Logout.
Page 27
Create Azure License Profiles Identity Maestro includes a MMC plug-in to create an Azure License Profile Manager utility. This
procedure will activate the plug-in, build a MMC utility and create two license profiles.
Activate the MMC Plug-in 1. Use Windows Explorer to navigate to [install
path]\Omni\IdentityMaestro\WorkflowEngine\RemoteAgents\Omni.RA.Microsoft.Az
ureAD.Agent\MMC
2. Right-click the Omni.RA.Microsoft.AzureAD.MMC.exe file and select Run as
administrator.
3. In the User Access Control window, click Yes.
4. In the Install / Uninstall MMC Snap-in application, click Install.
5. Confirm that Is Snap-in installed is checked, and Close the application.
Create the MMC Utility 1. Launch MMC using Run as administrator.
2. In the MMC Console1 window, select File > Add/Remove Snap-in.
3. Select the Remote Agent for Azure Active Directory from the Available snap-ins list
and click the Add button.
Page 28
4. In the Connect to Remote Agent window, click the Test Connection to Remote Agent
button. You do not have to provide any login credentials as the connection uses a security
token.
5. Confirm that the connection test confirms that the connection is working, and click OK.
6. Confirm that the Remote Agent for Azure AD is in the Selected snap-ins list, and click
OK.
7. In the MMC Console1 window, select File > Save as and save this console to the Desktop
as Azure License Profile Manager.
Page 29
Create License Profiles 1. In the MMC Console1 window, you will see a navigation pane (left), a details pane (Center),
and an Actions pane (right). You need to right click the Remote Agent for Azure AD
node to expand the navigation.
2. Expand the Remote Agent connection and the refresh AD domain node(s).
3. Expand the AD domain connection and refresh the Licensing node.
4. Click the Licensing node and click the Create New Licensing Profile in the Actions pane.
5. In the Create New Licensing Profile window, provide a profile name (must be lower
case) and click Create Profile and Close.
Page 30
6. Use the same steps to create a second profile (optional). In our examples, we create a staff
and contractors profile, each get configured with different applications (service plans).
7. In the Details pane, there is a grid that displays each application included in the total of all
the license SKUs combined together. Click the first application (Azure documentation
refers to these as service plans). Each SKU has a dedicated tab that is used and the current
license count information is displayed in the top left.
Each license profile has a dedicated column. To disable an application, remove the
checkmark for the application in the column of the license profile.
Page 31
If all the applications of a license SKU are disabled (unchecked), Identity Maestro will not
assign a license count for that SKU when assigning license SKUs and applications to Azure
AD users assigned to that license profile.
8. Once all the license profiles are configured with enabled applications, ensure that you
select the Update All Profiles option in the Actions panel.
9. Select File > Save as to ensure that all changes have been saved to the MMC console.
10. IMPORTANT: Reset the IIS server to ensure that the license profiles are loaded into the
Remote Agent server and the Identity Maestro server.
Page 32
Reset Passwords for the Identity Maestro Role Users Let’s take a quick look at the users and groups that Identity Maestro created in the Active
Directory domain.
1. Login in as imadmin password Demo!2345678.
2. The Operator Panel will display the default menu and the Manage module page. In the
Manage module, you can search for objects or browse the Directory for objects. If you add
ima to the Object Name field and click Search, Identity Maestro will search for and display
all users, groups and contacts that contain the character string ima in the object name.
3. Select the Browse tab. Expand the domain name and the Identity Maestro container.
Click on the Identity Maestro container. Users, contacts and groups in that container will
be displayed.
Notice that you cannot see any other AD containers. Identity Maestro installs in a sandbox
mode with pre-configured Identity Maestro Roles, with corresponding access controls limited
to the Identity Maestro container only. This permits administrators to learn what Identity
Maestro can do before enabling access to other containers in the AD domain.
Page 33
4. If you click the Username column header, it will sort the list by username and in this
instance list all the users together in alphabetical order by username. You can right click
the imadmin user and select Reset Password to reset the user password to a different
value.
5. You can also bulk reset the password for multiple users. In this case if you use Shift +
Click to select all the im users except imadmin, then right-click the list and select Reset
Password to reset the user password for all those users to a new common password.
6. Choose Specify password, type in a value and click Reset.
Page 34
7. Identity Maestro will confirm the password changes. You can even export a list of
usernames and passwords (optional). Click Close.
Page 35
Configure Office 365 Custom Tasks There is some configuration work that needs to be done in various Manage custom tasks to ensure
that O365 custom tasks will use the Office 365 email domain.
1. Select ADMINISTRATION in the main menu.
2. Identity Maestro will display Step 2 in the Manage module by default. This displays the
four IM Roles that are configured.
3. We need to set the email domain name and license profile in some of the O365 custom
tasks. Click Step 5: Configure Custom Tasks.
4. Select the O365 Apply License Profile task, select the Form Fields tab, and select the
O365 License Profile field.
5. In the Details pane, add Staff Profile to the Display Text field and staff to the Value field.
Click the Add button to add this option to the Values list.
Page 36
6. Add Contractors Profile to the Display text field and contractors to the Value field, and
click Add to add this to the Values list.
7. Select the Profile Name | profile selection in the Values list and click the X button to
remove it from the Values list.
8. Confirm that only staff and contractors are in the Values list and Save this change.
Page 37
Note: In Identity Maestro, you must Save your changes before changing focus to a different
field or moving to a different form or page view, otherwise all your work will be lost. The
Save option writes the changes to the applicable .config files. OPTIONS > Apply Settings
will load the modified .config files into IIS server cache and apply them to the Identity
Maestro websites without requiring an IISRESET.
9. Select the O365 Usage Location field. This field is used to assign a location value to the
Office 365 user when applying a license profile. This field uses a plain text label to
represent the country, e.g. Canada and the ISO country abbreviation, e.g. CA. If you want
to add a new location, type in the Country Name in the Display text field and the ISO
country abbreviation to the Values field, and click Add to add the selection to the Values
list.
If you add one or more countries to this list, click Save.
10. Choose OPTIONS > Apply Settings to all changes to the O365 Apply License Profile.
11. Select the O365 Provision User custom task, select the Form Fields tab, and
12. Repeat steps 4 to 9 to set corresponding values to the same O365 License Profile and
O365 Usage Location fields.
13. Expand the O365 User Contact Info section and select the O365 Email Autocomplete
field. Click the edit icon beside the Pattern option field.
Page 38
14. In the Autocomplete Pattern Builder window, add the email domain name for your Office
365 email subscription (e.g. @democotest.com) and click Add segment.
15. In the Pattern segments section, select the Seperator ‘@emaildomainname segment
that you just created. Click the Move Up button until you mode the segment so that it is
above the Seperator ‘@example.com’ segment.
Page 39
16. Select the Seperator ‘@example.com’ segment and click the Remove button.
17. Confirm that the Seperator ‘@example.com’ segment is not visible in the Pattern
segments list and click Save.
18. Confirm that the configured domain name is now visible in the pattern.
19. Select OPTIONS > Apply Settings to save the changes and activate them in the Identity
Maestro website.
Page 40
Check and Configure Tasks Assignments There is some configuration work that needs to be done in various Manage custom tasks to ensure
that O365 custom tasks will use the Office 365 email domain.
1. In the MANAGE module, select Step 2: Assign Groups to Tasks.
2. Select the Identity Maestro\IM Admins Role assignment.
3. Confirm that the Search Contexts tab is selected and confirm that the scope is properly
defined.
This is how you confirm the scope (search context).
System ID specifies the name of the target system. In this example it is an AD domain
called democotest.com.
Path defines the top level OU container that starts the search scope. This defines that users
assigned to this task assignment can search objects in the Identity Maestro container.
Binoculars column is displaying an org chart icon that designates that search is permitted
in this OU container and all child OU containers.
X column would define this search context as an excluded OU container. This can be used
to define a child container to the parent OU container as an excluded container for search.
Folder with magnifying glass column indicates that the Browse feature is enabled for this
search context.
Page 41
Pencil icon is used to edit this search context.
Trash can icon is used to delete the search context.
A minimum of one search context must be defined for a task assignment, otherwise it will not
work.
4. Select the Mail Stores tab.
5. Check the check boxes for the Enabled column. This is required to permit management of
mailbox servers including Office 365 mailboxes that are related to the defined target system.
Checking Deny applies an explicit deny that over-rides all Enabled selections in any task
assignment that is assigned to the users in the Group Members for this assignment. Be
careful when applying this assignment as it is difficult to troubleshoot a Deny.
6. Select the Group Members tab to confirm which users will be assigned to this task
assignment.
7. Save your changes to the Mail Stores.
8. Repeat steps 3 to 7 for the rest of the task assignments:
Page 42
Configure Office 365 Create User Forms The Setup Wizard installed a set of create form templates which are all labelled with (Template) in
the form name. It also created a set of create forms that will be used for the Sample OU that is
part of the “sandbox” setup. The Setup Wizard also added create profiles that use the Sample
create forms.
Create Forms are the forms that collect information that will be used to create a new user, group
or contact object. You normally add create forms to cover unique differences between types of users.
Create Profiles is what relates a create form to a create workflow. Users are assigned to a create
profile which will enable the create module for that user and displays the create form for them to
use. You normally build create forms to create users in different OU containers or to add them to
different groups during the create process.
There is some work that needs to be done in the Office 365 user create form(s) to ensure that
Identity Maestro configuration will match your Office 365 email domain.
Modify the User Create Forms for Hybrid Environments Use this procedure if your AD domain IS being synced with your Office 365 subscription using
ADCONNECT. Use this procedure for the AD and Hybrid O365 User (Template) form and the
Sample AD and O365 User (Hybrid) form.
In this scenario, ADCONNECT will automatically create the user in Azure AD and copy the user
contact information from AD on-premise to Azure AD. In reality, all Identity Maestro has to do is
create a user in the domain containers that are in-scope for the ADCONNECT service. Once the user
is created in Azure AD, administrators can use the MANAGE > O365 Apply License Profile task to
license the user in Office 365.
1. In the ADMINISTRATION panel, select the CREATE menu option.
2. In Step 1 – Configure Create Forms select the AD and Hybrid O365 User (Template) or
the Sample AD and O365 User (Hybrid) create form.
Page 43
This create form is designed to support environments where ADCONNECT are being used to sync
data between the on-premise AD domain and the Office 365 subscription instance. The form needs
to provide sufficient details so that the new user will be properly synced by ADCONNECT.
3. Select the Email Address field.
Notice that the Pattern uses @example.com as the domain name. This needs to be changed to use
the actual email domain name.
4. Click the edit icon next to the Pattern field.
5. In the Autocomplete Pattern Builder window, add your email domain (e.g.
@democotest.com) to the Separator field and click Add Segment.
Page 44
6. In the Pattern segments list, select your email domain (e.g. Separator
‘@democotest.com’) and click the Move button until the entry is immediately above the
Separator ‘@example.com’ entry.
7. Select the Separator ‘@example.com’ entry and click the Remove button.
8. Click Save to save the settings and close the pattern builder window.
9. Confirm that the Pattern now displays your email domain.
10. Click Save to save the changes.
11. Select OPTIONS >Apply Settings to apply the changes to the create profile and form.
Page 45
Modify the User Create Forms for Disconnected Environments Use this procedure if your AD domain IS NOT being synced with your Office 365 subscription
using ADCONNECT. We refer to this as a Disconnected Scenario. Use this procedure for the AD
and O365 User (Template) form and the Sample AD and O365 User form.
In this scenario, Identity Maestro will run a workflow that will create an Azure AD user that is a copy
of the AD user that is being created. In this scenario, the create form includes form fields that copies
field values from the new on-premise AD user into fields that will be used to create the
corresponding Azure AD user. In addition, this form includes defining the Azure license profiles and
the Azure Usage Location values.
1. In the ADMINISTRATION panel, select the CREATE menu option.
2. Select Step 1 – Configure Create Forms.
3. Select the AD and O365 User (Template) form or the Sample AD and O365 User form.
4. In the Fields column, expand the Personal Information section and select the Office 365
Email field.
Notice that the Pattern uses @example.com as the domain name. This needs to be changed to use
the actual email domain name.
5. Click the edit icon next to the Pattern field.
6. In the Autocomplete Pattern Builder window, add your email domain (e.g.
@democotest.com) to the Separator field and click Add Segment.
Page 46
7. In the Pattern segments list, select your email domain
(e.g. Separator ‘@democotest.com’) and click the Move button until the entry is
immediately above the Separator ‘@example.com’ entry.
8. Select the Separator ‘@example.com’ entry and click the Remove button.
9. Click Save to save the settings and close the pattern builder window.
10. Confirm that the Pattern now displays your email domain.
11. Click Save to save the changes.
Now we need to set the Office 365 license options to match the license profiles you built previously,
and to set the correct list of countries for the Usage Location field.
Page 47
12. Expand the Office 365 License section and select the License Profile field.
13. Add values for the Display text and Value fields for each license profile (e.g. Display text:
Staff Profile and Value of staff.
The Display text is what will display in the drop-down for this field while the Value is the
actual name of the license profile that was defined in the Azure License Profile Manager (see
Create License Profiles). The Value must be all lower case letters.
14. Once all of the license profiles have been added, select the profilename | Profile Name
from MMC listing and click the X button to remove that from the list.
Page 48
15. Click Save to save the changes.
16. Select the Usage Location field. This field contains values for Canada and the United States.
The Display Text is the value that will be displayed in the drop-down while the Value must
be the ISO country abbreviation.
17. (Optional) To add an additional country, add a valid Country (e.g. United Kingdom | UK).
Page 49
18. Click Save to save the changes.
19. Select OPTIONS >Apply Settings to apply the changes to the create profile and form.
This completes all the required changes. Feel free to examine all the create forms and create
profiles and make any adjustments to match your environment.
Proprietary and Confidential Information of Amdocs Page 20
Identity Maestro has offices, development and support centers
worldwide, including sites in:
Headquarters
103, 10301 – 109 Street
Edmonton, Alberta T5J 1N4
Canada
Email: [email protected]
Twitter: @IdentityMeastro
Phone: +1 408.675.5020
Fax: +1 780.423.4711
Regional Offices
Identity Maestro Europe
Kreitstrasse 5 86926
Greifenberg/Munich
Germany
Phone: +49.8192.99733.25
emea@Identity Maestro.com
Identity Maestro USA
440 North Wolfe Road
Sunnyvale, CA 94085
USA
Phone: +1 408.675.5020
For the most up-to-date contact information for all Identity Maestro offices
worldwide,please visit our website at www.identitymaestro.com/contact