Requirements
Creating an Active Directory configuration requires a HelloID Agent Pool and Agent. If you haven't already set these up, please refer to Agents - Overview before continuing.
Introduction
This article demonstrates how to create or manage an Active Directory configuration.
Also see Active Directory - Overview.
To get started, go to Directory > Active Directory.
Create a configuration
- On the overview screen, select the Create Configuration button.
- Select the Agent Pool that will be used for this directory configuration. If you only have one Agent Pool, it will be selected by default. If you have multiple Agent Pools, you can select the most appropriate one for the job. Select the Next button to continue.
- Select the services that you want this directory configuration to handle.
- Authentication
Allow users to log in to HelloID using their AD domain credentials. - Synchronization
Synchronize the AD domain's user and group directory into HelloID.
- Authentication
- If you have selected Synchronization, two additional options are available:
- Start Sync Now
Turn on to run the synchronization task immediately after the configuration is created. - Allow Deletion
When this toggle is turned on, the configuration's synchronization task is allowed to delete users from HelloID when they have been deleted in Active Directory. When this toggle is turned off, the synchronization task will not delete any users in HelloID, even if those users have been deleted in Active Directory.- Turning on the Allow Deletion toggle also lets you set a Deletion Threshold, which provides a safeguard against the accidental mass deletion of users. By default, this safeguard is set to 10%.
- Turning on the Allow Deletion toggle also lets you turn on User Hard-Delete.
When User Hard-Delete is turned on, the AD sync task will permanently delete a HelloID user when the corresponding AD user has been deleted. When User Hard-Delete is turned off, the sync task will not permanently delete any HelloID users. Instead, "deleted" users will be disabled and hidden inside the Show only deleted users filter on the Users Overview screen:
You can restore a deleted user by turning on its Enabled toggle. Note that its Source will change to Local (i.e., it will be converted to a local user) and it will no longer be associated with Active Directory. However, if you restore the deleted AD user from your AD recycle bin and run the sync task, the restored HelloID user will be re-associated with the restored AD user. Restored HelloID users retain their previous settings, including group memberships, credential sets, etc.
- Start Sync Now
- Select the Next button.
- Select the scope of user account synchronization within your domain. By default, Synchronize all users is selected. You may accept this default, select Choose specific OUs, or select Enter OU manually. To prevent synchronizing service accounts, we recommend one of the latter two options. Select the Next button to continue.
- Select the scope of user group synchronization within your domain. By default, Synchronize all groups is selected. You may also accept this default, select Synchronize groups from the same OUs as specified users, select Choose specific OUs, select Do not synchronize groups, or select Enter OU manually. Make an appropriate selection and configure as necessary. Click the Next button to continue.
- Select the Finish button to confirm the configuration and return to the Active Directory - Overview page.
Edit a configuration
To edit a configuration, select its Edit link in Directory > Active Directory.
The edit screen has the same settings described in the above section, Create an Active Directory configuration, but consolidated onto a single page.
When finished, select the Save button to confirm.
Delete a configuration
To delete a configuration, select the appropriate row in Directory > Active Directory and then select the Delete button.
When you delete a configuration, its associated mapping set is also deleted, as well as any delegated forms which use the configuration. Its associated AD IdP and synchronization task are not deleted.