This article will lead you through the configuration options that are specific to the Microsoft Active Directory (AD) target system connector. Information about configuration options that are common among all target systems can be found here.
Configure the Microsoft Active Directory target system
On the target systems overview, click the wrench icon for the Microsoft Active Directory target that you wish to configure. This will take you to the configuration page for that system.
In this tab, you will need to specify the fully qualified domain (FQDN) name of the Active Directory domain to which you will be connecting. Connections are made through the HelloID Agent that is installed within the target domain.
Enter the FQDN in the Domain text box, and click the Connect button. If HelloID can establish a connection, the button will turn green and additional tabs will appear along the top of the pane. If an error is encountered, more information will be displayed.
On this tab, you may integrate HelloID provisioning with Microsoft Exchange. The instance of Exchange can be in a local, hybrid, or remote configuration. Enabling integration will allow HelloID to provision mailboxes for newly provisioned accounts.
This tab allows you to configure how accounts are handled within AD, such as what values are populated into which attributes.
- Force update account(s)
This button will cause HelloID to apply changes that you've made in this tab to accounts that have already been granted as entitlements. Accounts that have not been granted as entitlements will not be affected.
- Attribute mappings
- Additional fields
You may add additional attribute mappings by selecting the desired attributes from this dropdown menu and clicking the Add button. Newly added attributes will be appended to the bottom of the attribute mappings list, and will default to the Field setting.
For example, to set the password options of new user accounts, you can add Must change password at next logon, Password never expires, or User cannot change password. These will appear as additional fields in the mapping list that you may configure accordingly.
In addition to the fields presented in the dropdown, you may type in the name of any custom attributes you wish to populate in the target system, such as extensionAttribute1. After you click the Add button, that attribute will be available for mapping. Please note that the attribute must already be available in the target system.
You may select a person from the dropdown menu and get a preview of how HelloID will treat their information based on the attribute mappings that have been specified. This is useful for making sure that everything will happen the way you expect it to, when it comes time to enforce business rules.
The Administration tab provides additional configuration options.
- Delete account when entitlement is revoked
When enabled, the person's account will be deleted out of the target system when their Account entitlement is revoked. If this setting is disabled, then the entitlement is still revoked, but the account remains in place and becomes unmanaged by HelloID.
- Set manager when account is created
When enabled, HelloID will set the manager attribute of the target account to the person's primary manager when the account is created. If this setting is disabled, the manager attribute will remain blank.
- Update manager when account is updated
When enabled, HelloID will set the manager attribute of the target account to the person's primary manager when the Update lifecycle is triggered for the account's owner. If this setting is disabled, the manager attribute will not be updated by HelloID.
In addition to those settings, you are also able to configure the OU placement of accounts when they are created, enabled, and disabled. These options can be Fixed selections (i.e. static OU paths), or you may use PowerShell to dynamically determine an OU path based on source data.
Most of the time, accounts will already exist in a target system for many of the people within your organization. In order to avoid creating new (duplicate) accounts, you may configure the target system's correlation options.
When correlation is enabled, HelloID will look for existing accounts in the target system that match up to person records from the source data. It does this by matching the correlation fields you define in this tab. In the screenshot below, we have told HelloID that if the ExternalID field in the source system matches the Employee ID attribute in Active Directory, then no new account should be created—rather the existing account should be updated.
After configuring the correlation options for the target system, you may generate a correlation report once the system is saved. This report will allow you to see which accounts have been correlated with source records, and vice versa. This is useful for identifying accounts in the target system that need to be updated so as to correlate with their source record.