• State Not Answered
  • Replies 1 reply
  • Subscribers 92 subscribers
  • Views 726 views
  • Users 0 members are here
Options
Related

password synchronisation between One identity manager and Azure AD

M.IAM
over 1 year ago

Hello,

We have connected OIM (8.1.3 )with Azure AD tenant. But the passwords between OIM and Azure AD for 800 employees are not the same.

We don't want to ask all theses employees to change their password to push it to Azure AD, we have already asked them 3 months ago and lot of them would not be reactive

We would prefer to tell them they can use the same password..

We want to automate this in OIM, meaning tell OIM to push the 800 password to Azure AD..

Is this doable ? can we use some custom field to trigger an update on the 800 accounts in order to push their passwords to Azure AD

Thank you

Parents
  • Former Member
    0 Former Member over 1 year ago

    Hi, M.IAM

    In occasions we need to force a password sync too for a user. Not with Azure AD , but we have GSuite and sometimes the same , generic, email account is used by several employees. So the account roams from one user to another and the password needs to be sync'ed with the Employee's CentralPassword. 

    In other cases there's a wan comms failure between our servers and the customer's local domain controllers, so  we find that the Employee's ADSACcount password has changed but that change couldn't be "transmitted" to the end point.

    So, what we have and what we do.

    1. The Centralpassword will be set for all the accounts of the Person. See the config setting QER\Person\UseCentralPassword
    2. We have a custom option for the admins in our web interface that calls the oob script QER_Publish_CentralPassword. You can use it in your own scripts to handle your 800 "changes"
    3. When we find there's a difference between the employee's account password and the endpoint's (your case) we use our custom admin option to force a password push. Please notice that, at least in AD Accounts, the update will only be carried out should the passwords differ (See the ADS_Account_Update/(De-)activate process in Designer). In this case you might need to reset the adsaccount password to a random value and then use the script to push the Employee's password to the account. 

    Hth

Reply
  • Former Member
    0 Former Member over 1 year ago

    Hi, M.IAM

    In occasions we need to force a password sync too for a user. Not with Azure AD , but we have GSuite and sometimes the same , generic, email account is used by several employees. So the account roams from one user to another and the password needs to be sync'ed with the Employee's CentralPassword. 

    In other cases there's a wan comms failure between our servers and the customer's local domain controllers, so  we find that the Employee's ADSACcount password has changed but that change couldn't be "transmitted" to the end point.

    So, what we have and what we do.

    1. The Centralpassword will be set for all the accounts of the Person. See the config setting QER\Person\UseCentralPassword
    2. We have a custom option for the admins in our web interface that calls the oob script QER_Publish_CentralPassword. You can use it in your own scripts to handle your 800 "changes"
    3. When we find there's a difference between the employee's account password and the endpoint's (your case) we use our custom admin option to force a password push. Please notice that, at least in AD Accounts, the update will only be carried out should the passwords differ (See the ADS_Account_Update/(De-)activate process in Designer). In this case you might need to reset the adsaccount password to a random value and then use the script to push the Employee's password to the account. 

    Hth

Children
No Data