For the best web experience, please use IE11+, Chrome, Firefox, or Safari

Products

Endpoint Privilege Management

Identity Governance and Administration

Log Management

View All Products

Solutions

Achieve identity-centric cybersecurity to protect the people, applications and data that are essential to business

All Solutions

All Integrations

Secure the organization

Protect the people, applications and data that are essential to business with unified identity security.
Drive operational efficiencies

Streamline process, reduce errors and minimize complexity associated with managing identities.
Enable compliance & auditing

Satisfy regulatory, industry, and jurisdictional requirements related to identity security.
Support digital transformation

Take measured steps to ensure digital transformation initiatives stay in line with identity security best practices.
Enhance log management

Reliably collect, store and manage logs from hundreds of systems across the enterprise.

Support & Services

Partners

About

Resources

Blogs

Communities

Free Trials Request Pricing

Active Roles On Demand

No limits to cloud-delivered Active Directory administration (tool), including Azure AD account management. Move your AD/AAD strategy fully to the cloud and sacrifice nothing. All the management, all the vision, all the flexibility in a modern, ISO 27001-certified SaaS solution. Automate manual tasks, speed up approvals and easily remove dead accounts with One Identity Active Roles On Demand.

02:59

Unifying the Management of your On-prem and Azure AD Environments with Active Roles

Contact Sales Calculate ROI

Key benefits

Automate AD/AAD administration

Regulate admin access

Overcome native AD tool limitations

Expand AD control beyond Windows

One Identity ISO/IEC Certifications

One Identity SaaS solutions are developed, operated, and supported within the scope of the One Identity Information Security Management System, which has achieved ISO/IEC 27001:2013 certification, and is aligned to meet the additional control implementation guidance in ISO/IEC 27017:2015 and ISO/IEC 27018:2019. For our customers, meeting the requirements of these important industrial standards can provide confidence that our cloud infrastructure has been independently verified to effectively manage information security and privacy.

Features

Increase AD Efficiency

Accelerate administration, remove the need for heavy IT involvement and reduce manual errors

Improve security

Deploy Zero Trust with delegated permissions

Simplify management

Control complex environments with a single point of administration

Secure access

Control access through delegation using a least-privilege model

Capabilities

Secure access in active directory administration tool

Hybrid AD ready

Active Roles On Demand is optimized to serve the needs of both on-prem AD and Azure AD in a hybrid deployment. It offers a single console, unified workflows and a consistent administrative experience across your entire hybrid environment. With support for multi-tenant, Active Roles eliminates the cumbersome, error-prone, and unnecessary challenges that come with using separate native tools and manual processes.

Secure access

Active Roles On Demand provides comprehensive privileged account management for Active Directory and Azure Active Directory, enabling you to control access through delegation using a least-privilege model. Based on defined administrative policies and associated permissions, it generates and strictly enforces access rules, eliminating the errors and inconsistencies common with native approaches to hybrid AD management. Along with modern authentication using OAUTH, Active Roles On Demand has robust and personalized approval procedures establish an IT process and oversight consistent with business requirements, with responsibility chains that complement the automated management of directory data.

Automate account administration

Active Roles On Demand automates a wide variety of tasks, including:

Creating user accounts and groups in AD and AAD
Extending AD/AAD-based account administrative actions to non-Windows systems and SaaS applications
Creating mailboxes in Exchange and Exchange Online
Populating groups across AD and AAD
Assigning resource in Windows

It also automates the process of reassigning and removing user access rights in AD, AAD and AD-joined systems (including user and group de-provisioning) to ensure an efficient and secure administrative process over the user and group lifecycles. When a user’s access needs to be changed or removed, updates are made automatically across all relevant systems and applications in the hybrid AD/AAD environment, as well as AD-joined systems, including UNIX, Linux, Mac OS X rich (replace ‘as well as’ with ‘and’) and a growing collection of popular SaaS applications via the One Identity Starling Connect solution.

Day to day directory management

With Active Roles On Demand, you can easily manage all of the following for both the on-prem and Azure AD environments:

Exchange recipients, including mailbox/OCS assignment, creation, movement, deletion, permissions and distribution list management
Groups
Computers, including shares, printers, local users and groups
Active Directory and Azure Active Directory

Active Roles On Demand includes intuitive interfaces to optimize day-to- day administration and help-desk operations of the hybrid AD/AAD environment via both an MMC snap-in and a web interface.

Extend the administrative scope

Active Roles On Demand supports the SCIM standard, which allows any SCIM-enabled SaaS application (via One Identity Starling Connect) to be embraced in the AD-based account and group administration capabilities of Active Roles.

Manage groups and users in a hosted environment

Synchronize AD domain clients with host AD domain in hosted environments. Active Roles On Demand enables user and group account management from the client domain to the hosted domain, while also synchronizing attributes and passwords. Utilize out-of-the-box connectors to synchronize your on-premises AD accounts to Microsoft Office 365, Lync Online / Skype for Business and SharePoint Online.

Consolidate management points through integration

Active Roles On Demand complements your existing technology and IAM strategy. It simplifies and consolidates management points by ensuring easy integration with many One Identity products, including Identity Manager, Safeguard, Authentication Services, Password Manager and ChangeAuditor. Active Roles also automates and extends the capabilities of PowerShell, ADSI, SPML and customizable web interfaces.

Active Roles On Demand comes with all the synchronization technology necessary to manage and secure:

Oracle Database
Oracle Unified Directory
Micro Focus NetIQ Directory
IBM AS/400
Lync / Skype for Business
Exchange
One Drive
SharePoint
AD LDS
Office 365 (including roles and groups)
Azure AD
Microsoft SQL Server
OLE DB (MS Access)
Flat file

Deliver Access Request and Access Certification

Starling CertAccess extends the capabilities of One Identity Active Roles (on-prem and On Demand) to deliver Access Request and Access Certification across your enterprise.

Access certification

With Starling CertAccess, enable flexible workflows empower line-of-business managers and resource owners to review and certify user access rights in AD which ensure access continuous compliance. Demonstrates segregation of duties and access controls for compliance and auditors.

Access requests

Now with Starling CertAccess, enable users – or others, acting on behalf of a user – to request access rights in AD. This removes IT from the day-to-day process and assigns the responsibility of granting access to the application/data owner and line-of-business managers.

Read Reviews Submit a Review

Automatic, consistent, and complete management

Active Roles overcomes the shortcomings of native Active Directory administration tools for efficient hybrid-environment management and security

Supported platforms

Lync / Skype for Business

Exchange

One Drive

SharePoint

AD LDS

Office 365

Azure AD

Microsoft SQL Server

OLE DB (MS Access)

Flat file

Screenshot Tour

Single Pane of Glass

Access Templates

Drag and Drop Workflows

Security Policy

Change History

Single Pane of Glass

Manage all systems in your hybrid AD environment with a single pane of glass

Access Templates

Accelerate provisioning with simple, easily managed access templates

Drag and Drop Workflows

Enjoy simplicity with drag-and-drop workflows for user, admin and group tasks

Security Policy

Place 'guard rails' around data in AD for efficiency and security

Change History

Single-mouse-click view of the "who/what/when/where" of particular objects

Specifications

Before installing Active Roles 7.4, ensure that your system meets the following minimum hardware and software requirements.

Active Roles includes the following components:

Administration Service
Web Interface
Console (MMC Interface)
Management Tools
Synchronization Service

This section lists the hardware and software requirements for installing and running each of these components.

Administration Service

Platform

Any of the following:

Intel 64 (EM64T)

AMD64

Processor speed: 2.0 GHz or faster

For best results, a multi-core processor recommended.

Memory: At least 2 GB of RAM. The amount required depends on the total number of managed objects.

Hard Disk Space: 100 MB or more of free disk space. If SQL Server and Administration Service are installed on the same computer, the amount required depends on the size of the Active Roles database.

Operating System

You can install Administration Service on a computer running:

Microsoft Windows Server 2019, Standard or Datacenter edition
Microsoft Windows Server 2016, Standard or Datacenter edition

Microsoft Windows Server 2012 R2, Standard or Datacenter edition
Microsoft Windows Server 2012, Standard or Datacenter edition

NOTE: Active Roles is not supported on Windows Server Core mode setup.

Microsoft .NET Framework: Administration Service requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).

SQL Server

You can host the Active Roles database on:

Microsoft SQL Server 2017, any edition
Microsoft SQL Server 2016, any edition
Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack

Microsoft SQL Server 2012, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL)

Windows Management Framewor: On all supported operating systems, the Administration Service requires Windows Management Framework 5.1 (see “Windows Management Framework 5.1” at http://go.microsoft.com/fwlink/?LinkId=272757).

Operating system on domain controllers

Active Roles retains all features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Pack:

Microsoft Windows Server 2019
Microsoft Windows Server 2016

Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012

Active Roles deprecates managed domains with the domain functional level lower than Windows Server 2012. We recommend that you raise the functional level of the domains managed by Active Roles to Windows Server 2012 or higher.

NOTE: Active Roles is not supported on Windows Server Core mode setup.

Exchange Server

Active Roles is capable of managing Exchange recipients on:

Microsoft Exchange Server 2019
Microsoft Exchange Server 2016
Microsoft Exchange Server 2013

Microsoft Exchange Server 2010 Service Pack 3
Microsoft Exchange 2013 CU11 is no longer supported. Refer KB article 202695.

Web Interface

Platform

Any of the following:

Intel 64 (EM64T)

AMD64

Processor speed: 2.0 GHz or faster

Memory: At least 2 GB of RAM. The amount required depends on the total number of managed objects.

Hard Disk Space: About 100 MB of free disk space.

Operating System

You can install Web Interface on a computer running:

Microsoft Windows Server 2019 Standard or Datacenter edition
Microsoft Windows Server 2016, Standard or Datacenter edition

Microsoft Windows Server 2012 R2, Standard or Datacenter edition
Microsoft Windows Server 2012, Standard or Datacenter edition

NOTE:Active Roles is not supported on Windows Server Core mode setup.

Microsoft .NET Framework: Web Interface requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).

Internet Services

On Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 Web Interface requires the Web Server (IIS) server role with the following role services:

Web Server/Common HTTP Features/
- Default Document
- HTTP Errors
- Static Content
- HTTP Redirection
Web Server/Security/
- Request Filtering
- Basic Authentication
- Windows Authentication
Web Server/Application Development/
- .NET Extensibility
- ASP
- ASP.NET
- ISAPI Extensions
- ISAPI Filters
Management Tools/IIS 6 Management Compatibility/
- IIS 6 Metabase Compatibility

Internet Information Services (IIS) must be configured to provide Read/Write delegation for the following features:

Handler Mappings
Modules

Use Feature Delegation in Internet Information Services (IIS) Manager to confirm that these features have delegation set to Read/Write.

Web browser

You can access Web Interface using:

Firefox 36 on Windows
Google Chrome 61 on Windows

Windows Internet Explorer 11
Microsoft Edge on Windows 10

You can use a later version of Firefox, Google Chrome or Internet Explorer to access Web Interface; however, Web Interface 7.4 has been tested only against the browser versions listed above.

Minimum screen resolution: Web Interface is optimized for screen resolutions of 1280 x 800 or higher. The minimum supported screen resolution is 1024 x 768.

Console (MMC Interface)

Platform

Any of the following:

Intel x86
Intel 64 (EM64T)

AMD64
Processor speed: 1.0 GHz or faster

Memory (RAM): At least 1 GB of RAM. The amount required depends on the total number of managed objects.

Hard Disk Space: About 100 MB of free disk space.

Operating System

You can install Active Roles console on a computer running:

Microsoft Windows Server 2019, Standard or Datacenter edition
Microsoft Windows Server 2016, Standard or Datacenter edition
Microsoft Windows Server 2012 R2, Standard or Datacenter edition
Microsoft Windows Server 2012, Standard or Datacenter edition

Microsoft Windows 8.1, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
Microsoft Windows 7 Ultimate, Professional, or Enterprise edition, 32-bit (x86) or 64-bit (x64) Service Pack 1
Microsoft Windows 10, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)

NOTE: Active Roles is not supported on Windows Server Core mode setup.

Microsoft .NET Framework: Active Roles console requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).

Web browser: Active Roles console requires Internet Explorer 11.

Management Tools

Management Tools is a composite component that includes the Active Roles Management Shell, ADSI Provider, and SDK. On a 64-bit (x64) system, Management Tools also include the Active Roles Configuration Center.

Platform

Any of the following:

Intel x86
Intel 64 (EM64T)

AMD64
Processor speed: 1.0 GHz or faster

Memory (RAM): At least 1 GB of RAM.

Hard Disk Space: About 100 MB of free disk space.

Operating System

You can install Management Tools on a computer running:

Microsoft Windows Server 2019, Standard or Datacenter edition
Microsoft Windows Server 2012 R2, Standard or Datacenter edition
Microsoft Windows Server 2012, Standard or Datacenter edition

Microsoft Windows Server 2016, Standard or Datacenter edition
Microsoft Windows 8.1, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)
Microsoft Windows 10, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64)

NOTE: Active Roles is not supported on Windows Server Core mode setup.

Microsoft .NET Framework: Management Tools require Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).

Windows Management Framework: On all supported operating systems, Management Tools require Windows Management Framework 5.1 (see “Windows Management Framework 5.1” at https://www.microsoft.com/enus/download/details.aspx?id=54616).

Remote Server Administration Tools (RSAT): To manage Terminal Services user properties by using Active Roles Management Shell, Management Tools require Remote Server Administration Tools (RSAT) for Active Directory. See Microsoft’s documentation for instructions on how to install Remote Server Administration Tools appropriate to your operating system.

Synchronization Service

Synchronization Service requirements

Platform

Any of the following:

Intel 64 (EM64T)
Processor speed: 2.0 GHz or faster

AMD64

For best results, a multi-core processor recommended.

Memory: At least 2 GB of RAM. The amount required depends on the number of objects being synchronized.

Hard disk space: 250 MB or more of free disk space. If SQL Server and Synchronization Service are installed on the same computer, the amount required depends on the size of the Synchronization Service database.

Operating System

You can install the Synchronization Service on a computer running:

Microsoft Windows Server 2019, Standard or Datacenter edition
Microsoft Windows Server 2016, Standard or Datacenter edition

Microsoft Windows Server 2012 R2, Standard or Datacenter edition
Microsoft Windows Server 2012, Standard or Datacenter edition

NOTE:Active Roles is not supported on Windows Server Core mode setup.

Microsoft .NET Framework: Synchronization Service requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=257868).

SQL Server

You can host the Synchronization Service database on:

Microsoft SQL Server 2017, any edition
Microsoft SQL Server 2016, any edition

Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack
Microsoft SQL Server 2012, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack

Windows Management Framework: On all supported operating systems, the Synchronization Service requires Windows Management Framework 5.1 (see “Windows Management Framework 5.1” at https://www.microsoft.com/enus/download/details.aspx?id=54616).

Supported connections

The Synchronization Service can connect to:

Microsoft Active Directory Domain Services with the domain or forest functional level of Windows Server 2012 or higher
Microsoft Active Directory Lightweight Directory Services running on any Windows Server operating system supported by Microsoft
Microsoft Exchange Server version 2019, 2016, 2013, or 2010
NOTE: Microsoft Exchange 2013 CU11 is no longer supported. Refer KB article 202695.
Microsoft Lync Server version 2013 with limited support
Microsoft Skype for Business 2019, 2016 or 2015
Microsoft Windows Azure Active Directory using the Azure AD Graph API version 1.6.
Microsoft Office 365 directory
Microsoft Exchange Online service

Microsoft Skype for Business Online service
Microsoft SharePoint Online service
Microsoft SQL Server, any version supported by Microsoft
Microsoft SharePoint 2019, 2016, or 2013
Active Roles version 7.4, 7.3, 7.2, 7.1, 7.0, and 6.9
One Identity Manager version 7.0 (D1IM 7.0)
One Identity Manager version 8.0
Support for Generic LDAP Connector, MY SQL Connector, Open LDAP Connector, IBM Db2 Connector, Salesforce Connector, Service now Connector, and RACF Connector.
Data sources accessible through an OLE DB provider
Delimited text files

Legacy Active Roles ADSI Provider: To connect to Active Roles version 6.9, the Active Roles ADSI Provider of the respective version must be installed on the computer running the Synchronization Service. For installation instructions, see the Quick Start Guide for the appropriate Active Roles version.

Microsoft Exchange Server Management Tools: To connect to Exchange Server 2007, the Exchange 2007 SP3 management tools must be installed on the computer running the Synchronization Service. For installation instructions, see “How to Install the Exchange 2007 Management Tools” at http://go.microsoft.com/fwlink/?linkid=88090.

Azure AD Module for Windows PowerShell Version 2

To connect to the Office 365 directory, the following module must be installed on the computer running the Synchronization Service:

Azure Active Directory Module for Windows PowerShell

For installation instructions, see “Install the Azure AD Module” at https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0.

Windows PowerShell Module for Skype for Business Online: To connect to the Lync Online service, Windows PowerShell Module for Lync Online must be installed on the computer running the Synchronization Service. For installation instructions, see “Windows PowerShell Module for Lync Online” at http://go.microsoft.com/fwlink/?LinkId=294688.

SharePoint Online Management Shell: To connect to the SharePoint Online service, SharePoint Online Management Shell must be installed on the computer running the Synchronization Service. For installation instructions, see “SharePoint Online Management Shell” at http://go.microsoft.com/fwlink/?LinkId=255251.

One Identity Manager API: To connect to One Identity Manager 7.0, One Identity Manager Connector must be installed on the computer running the Synchronization Service. This connector works with RESTful web service and SDK installation is not required.

Internet Connection: To connect to cloud directories or online services, the computer running the Synchronization Service must have a reliable connection to the Internet.

Synchronization Service Capture Agent

Microsoft .NET Framework: Synchronization Service requires Microsoft .NET Framework 4.7.2 (see “Installing the .NET Framework” at http://go.microsoft.com/fwlink/?LinkId=294688

Additional Requirements

To synchronize passwords from an Active Directory domain to some other connected data system, you must install the Sync Service Capture Agent on all domain controllers in the source Active Directory domain.

The domain controllers on which you install Sync Service Capture Agent must run one of the following operating systems with or without any Service Pack (both x86 and x64 platforms are supported):

Microsoft Windows Server 2019
Microsoft Windows Server 2016

Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012

For more information, see the Active Roles Synchronization Service Administrator Guide.

Upgrade and compatibility

For instructions on how to upgrade Active Roles, refer to the Active Roles Quick Start Guide.

When performing the upgrade, keep in mind that the components of the earlier version may not work in conjunction with the components you have upgraded. To ensure smooth upgrade to the new version, you should first upgrade the Administration Service and then upgrade the client components (Console and Web Interface).

Custom solutions (scripts or other modifications) that rely on the functions of Active Roles may fail to work after an upgrade due to compatibility issues. Prior to attempting an upgrade, you should test your existing solutions with the new version of the product in a lab environment to verify that the solutions continue to work.

Version upgrade compatibility chart

: The following table shows the version upgrade path that you can take from one version of the product to another. Source version refers to the current product version that you have installed. Destination version refers to the highest version of the product to which you can upgrade.
Source version
Destination version
6.9.0
7.4
7.0
7.4
7.1
7.4
7.2
7.4
7.3
7.4

Resources

View All

Datasheet

Get started now

Simplify the security of your Active Directory

Contact Sales Calculate ROI

Support and services

Product Support

Self-service tools will help you to install, configure and troubleshoot your product.

Support Offerings

Find the right level of support to accommodate the unique needs of your organization.

Endpoint Privilege Management

Secure the organization

Drive operational efficiencies

Enable compliance & auditing

Support digital transformation

Enhance log management

Active Roles On Demand

Key benefits

Automate AD/AAD administration

Regulate admin access

Overcome native AD tool limitations

Expand AD control beyond Windows

One Identity ISO/IEC Certifications

Features

Increase AD Efficiency

Improve security

Simplify management

Secure access

Capabilities

Hybrid AD ready

Secure access

Automate account administration

Day to day directory management

Extend the administrative scope

Manage groups and users in a hosted environment

Consolidate management points through integration

Deliver Access Request and Access Certification

Access certification

Access requests

WE ARE RATED ON

Automatic, consistent, and complete management

Supported platforms

Lync / Skype for Business

Exchange

One Drive

SharePoint

AD LDS

Office 365

Azure AD

Microsoft SQL Server

OLE DB (MS Access)

Flat file

Screenshot Tour

Single Pane of Glass

Access Templates

Drag and Drop Workflows

Security Policy

Change History

Specifications

Source version

Destination version

Resources