Show Transcript
Hide Transcript
Hello. My name is Wayne Smiley, Principal Architect for Active Roles for One Identity. Today, we're going to do a Deep Dive into our Active Roles product. And specifically, we're going to talk about some of the new features and functionality in the latest version Active Role 7.44, as well as some other pieces from some relatively new versions. And we're going to talk about how Azure works in those environments and what new features and functionalities we have.
Specifically, we're going to teach you how you can use some of these new features to manage Azure and Office 365. We're going to talk specifically about Azure only users. We're going to talk about creating and managing Azure guest accounts, creating and managing Azure contacts. We'll also be covering how you can handle workflows in Active Roles that maintain and manage Azure, as well as Office 365 groups, and things like that. And then, we'll do policies in Active Roles again for Azure and Office 365, as well as show you how to use Access Templates in those, as well.
So let's dig in a little bit. First, a couple of ground rules in terms of what we talk about and how we talk about everything-- it will make it a little easier for us to go through all of this. For the most part, I'm going to use Azure Active Directory and Office 365, Microsoft 365, all those things kind of synonymously. There'll be times where they're different. But generally speaking, as we know, they're kind of the same. Today, we're not going to talk at all about combining interfaces or anything like that. Although, there is some of that built into here as you'll see.
The first thing we're going to talk about is creating an Azure contact. So technically, everybody seems to call them Azure contacts. But what they really are is Office 365 contacts. In fact, if we go over here to the Office 365 portal, what we'll see is that we can see that the contacts are actually here in the Office 365 or Microsoft 365 portal. They are not in the Azure portal at all. So with the new version of Active Roles, you can now see that over here, we have the new Azure contacts piece in the tree. And you can see that I have all the same Azure contacts here that I have over here in the Office 365 Admin Center. OK. So great.
So now, let's go ahead and create a new contact. We have a John Smith, so we'll call this guy Bill Smith, OK? Nice and easy, no big deal. We can go through and fill all this stuff out. But frankly, we don't care. You'll notice that we have all the same stuff that they have in the Office 365 portal. So we're going to go ahead and click Next and Finish, and we will go ahead and create that user. It will just take a quick second here. And as you can see here, the user was successfully created.
So let's take a quick look over at the Microsoft 365 side of this, and we'll see here if I just refresh that real quick--oh. It looks like it actually already came up. So you see we now have new user Bill Smith and we can see that they have the same email address and all that fun stuff. So they're already all set over there. Now we just need to make sure we see it here. And you'll notice that, in fact, there's Bill Smith already created, already set up, good to go. We can edit him like for any other contact. Here's all his information. We can see everything. We can change everything. We won't dig into that. We can customize it like any other object in the web interface.
But what's important to understand here is that here, we've created the entire thing. We synchronize it. It's all set. It's all good to go. The one thing we're not going to talk about right this minute is how we get permissions to be able to edit that like with Access Templates and stuff like that, and we're going to come back into that portion of it a little bit later.
The next thing we're going to talk about is probably the single most requested feature addition for Active Roles that we've gotten lately, and that is the ability to do Azure only users. So these are users that have no on-prem equivalent, so they exist only in Azure. And you can see here if I go in, we have a lot of these users here. You can see these are regular users. These are not synchronized, you can see. You'll notice over here, we can see that very easily.
But now in the newest version of Active Roles, we show those users right here. And you can see those same users exist right here. And we can manage them as if they were a regular user, and that includes the basic concept of just creating a user. So let's create a user, and we'll call this guy Azure William Smith. All right. Too close to typing my own name. All right. Now you notice, by the way, here's a new feature we can enable-- Azure multi-factor authentication. So that's something that's pretty exciting. We'll just take care of that for you, and you don't have to do anything else.
The way I've customized it, I don't have the ability to automatically create the password. I should have put that back, but I messed it up. And it's not here. And I can assign a license. I'm not going to bother for this user because we don't really care, nor do I want to give them a role. And I don't have any of the OneDrive provisioning policies created, so they're not going to get a OneDrive account. But, obviously, they could. And that would be no problem. So I could go over here. We're going to go ahead and click Finish. You can see that operation completed successfully.
And now if we go over here, we can see in the Azure portal that we've created the account. That account now exists here. And we could go and look at it in here, but frankly, why do we care? Because now we can look at it in Active Roles, so let's go do that instead. OK. So let's just refresh this real quick. There we go. So we see William Smith is here. Here's our user.
So that's fine and great, but let's talk about why this is so important. One-- this means that if you want to have users that exist only in Azure and don't have an on-prem equivalent at all, like for example, some Federation users or some external users or whatnot that are doing whatever it is they're doing, you can do that inside of Active Roles now. You weren't able to do that before.
And number two-- if you have an entire environment that exists in Azure. Let's think about scenarios where you're using say, Microsoft Teams or something like that where you really want to have a bunch of these users that don't exist in AD and you don't want them in AD. You don't want to give them real accounts, but they need to exist in Azure. So let's put them in there.
As a matter of fact-- though it is not super easy to do in this version-- you can actually run Active Roles without having an on-prem service at all, so that is something that you can do in the new version. We'll make that a little more smooth and easier to do in later versions, but it is technically possible now where it wasn't before. So that's essentially Azure users.
While we're here in users, let's talk about guest users, right? This is another thing we kind of hinted at that before. But we know that with guest accounts, they're basically users that are completely external to our system. We don't want to manage them. We don't want to run them. But they need to have accounts for things like oh, I don't know-- SharePoint sites or Teams and things like that. So one of the things we've added right here is the invite guest process into Active Roles. I click on that, and you can see we'll basically go in here. And we'll call this guy Joe. OK.
So we can go through here. And again, I could assign them a role. Although, I probably wouldn't want to do that. In fact, I'm not even allowed to do that in this particular case. Let's put them in the US, and we don't need a job title or anything else for them. So let's just go ahead and click Finish. And we will let that run. You'll notice that that completed successfully. So now that we've created the user, we can go and search for them. And we'll see that we can find them, so we can see that we can search for Azure users just like everybody else. You'll notice that they are an Azure guest user. And we can click in here and see whatever it is we want to see.
Now, if you notice that since I did an invitation and I meant to mention this when I was doing it but what it actually did was it sent an email out with the invitation link, which you can see right here. I'm not-- I'll just show it to you real quick. Here, you can see there's the email. Sorry, the formatting is kind of cruddy. But you get the idea. So not only do we now have a user, we do the invitation and the whole bit. And now, they're in our system. And we can manage them just like we want to do with anything else. So this is a really big deal. Now we can kind of handle all these users just as if they were on-prem.
And just like with multiple Active Directory environments, with Azure ID, we don't have to care where they are. When I go and search for them, I can search for them and I'll find them wherever they are. Not only that, you'll also notice-- and this came in a fairly recent version, not in 7.44-- but you can see I have multiple Azure environments, and I can search through all of these. And you can see in a little while when we go through Access Templates, I'll show you a different user's given rights to something but not even necessarily see another Azure [INAUDIBLE] or whatnot.
The next thing we want to go over is Azure workflows. Let's take a look. So here I've just created a workflow. And what's really great about Active Roles and some of the new features is that what we can see here is that when I tell it I want to create a user-- you guys will recognize this, this is a normal Active Roles workflow-- but we actually have a new one. So I type in that, need to click the All possible. Incidentally, in the next versions, we're looking to make that so it shows up a little bit easier. But it is here.
So I have EDS [INAUDIBLE] Azure user. Great. I click that. Now anytime I'm going to do something on a particular user, I can do this. So let's take this particular workflow, and then say-- actually, let's change that slightly. Instead of operation, let's do modify properties. OK. And let's do filtering conditions, and we'll insert a condition Property of workflow target object. And we're just going to do something kind of useless here.
Target property is when I change the Department for a user, and I change it to IT. All right. And then I just want to do a update. And we're going to update. Workflow target is fine. Target properties, add property. Let's see. Let's change the description to action set, define text string. And so I mean, again, this is kind of silly. But we just get the idea. It's just a quick thing. Click Save Changes, and then let's actually give this a shot.
OK. So let's go back to the web interface here real quick, and let's go find one of our users. Let's grab Test User3. Open him up. And let's go to here, and let's change his department to IT. And go ahead, and click Save. And then open him up real quick, and you can see that we have both the Department and Description all set.
So again, just a very simple test of a workflow. But the bottom line is that now, we can do workflows against things that happen in Azure AD where we couldn't previously do that before. So that opens up a whole new world of things that we can do. And really, the sky's the limit at this point in terms of what you can actually do.
Let's talk about something now that's kind of the bread and butter of Active Roles, and that is the policy. We use policies all the time to do different things. But now with this new version of Active Roles, we can do a lot of things inside of Azure specifically. So let's just use a-- well, ignore my spelling-- and we'll just use some Property Generation Validation, or PGV, policies. And we want to know what type of object we want to use, and we're going to go down here and it is under EDS Azure.
And you can see, we've got them all listed right here. Let's just do one for users. That's probably the easiest one. So let's do EDS-Azure-User, and then let's say we want to set the Description as-- it must be a value, and we'll just say the value is as your only user. That way we can just see, and we're not going to do anything else. We're just going to do something very simple.
And we want to enforce this at the very top, and there we go. We've finished that. So let's just give that a quick whirl. We'll go over here, and we'll do something we've done a bunch of times already. But let's go ahead and create a new user, and we'll call this Jane Smith. OK. And typing the same that time, perfect. Let's not give them a license because we don't care, nor do we want to give them any rules or anything for OneDrive, and let's go ahead and finish. Great.
OK. So let's go take a look at what we've actually done. So let's click on Jane Smith, and let's go over to her job info. And we can see that she has the Azure only user right here. So basically, what we know is that that policy did exactly what we expected it to do. Again, policies can be very, very useful. And we can do lots of different things. I've shown you here user, but we could just as easily do group, Office 365 group, contacts, whatever. Now we just have the ability to do all those things we've traditionally always had inside Active Roles, but we can do them with Azure objects, as well.
The last thing we're going to talk about is Azure Access Templates. Now obviously, we're all used to Access Templates. And we're not going to spend a tremendous amount of time on this. But really, the goal here is for you to understand that we now have all new Access Templates based on the Azure pieces themselves. So you can see we have just basic stuff on read and write and all the different types of objects. These are just the built in ones. We've also created some more in here.
So you can see that-- let's take a look at one of these in particular. Let's take a look at this Azure allow list. This basically just allows them to list and see different things that are going on. Now what I've done here is I have a user here, and you can see that they're actually a local user just to make my life a little bit easier here. And the access template is Azure Allow List, so we'll go take a look at that. And we can see the permissions here that they can list Azure containers, they can read Azure containers, they can see some tenant information and some domain information.
As you know, that means that they can't actually see any users or interact with any users at all. But they can do some very basic things here. And nothing nested in there, just so you can see. So you guys can go in here. And obviously those EDS-Azure ones are really what's critical. And that's how you guys are going to do all of your Access Templates. And again, you can use the built in ones, if you like. But we've created some. I've created one here just to kind of give you a sense of how all this operates.
So let's go take a look and see what that actually means in the real world. First, let's take a look at the administrative user. This user right here is an administrative user, and so I can see everything. So you'll notice here that I can see my-- and I have two different Azure tenants. This actually is important because it's only assigned to one, as you saw earlier. But we've got this one here and this one here. And you can see that I also have the Azure Configuration node and everything is viewable here to me. So I have full control over everything. All right. And let's minimize that.
Let's open up a new incognito window. OK. And we're going to log in. I believe that is-- and again, remember I only gave them rights to see the basic structure. But I didn't give them rights to see anything else in Azure. So we can see here is if I take a look, you can see I see the two different tenants, but I see nothing underneath them because all I've given myself to do is the right to see the actual tenants themselves. And again, that's with this user. So that's really an Access Template in action doing what it's supposed to do-- maybe not the best one. And actually, now that I'm thinking about it, I probably could have done something that would have been more illustrative of what I'm trying to do, but that's OK. You get the general idea.
So now, let's take a step back and kind of put all of this together and talk about everything that we've done here. One of the biggest core pieces that was added in Active Roles 7.44 is the ability to really run Azure in the same way that you run on-prem AD, and that was really the goal here. We've put a lot of the pieces in to allow you to maintain those things and put in those same Access Templates and workflows and policies and, you know, Azure only objects and maintain them-- an Azure world in the same way that you're used to maintaining an on-prem world.
And we know as you guys are going forward in your hybrid AD strategy, if you will, that a lot of companies have a smaller reliance on on-prem AD and are moving everything to Azure. In fact, we're hearing some of you guys really want to move everything to Azure and separate those all out together. And we're heading in that direction. You can see there's a few things here that really aren't quite as perfect as we would like them to be, and we'll fix those in newer versions and make them easier to see. But it is all there, and we can do what we need to do.
So this is really a huge step forward in the product and is really going to allow you to do everything that you need to do. All those things you've always wanted to do in Azure AD but couldn't do, now you're going to be able to do with Active Roles. I hope this has been very helpful. Thank you very much.