Microsoft Active Directory (AD) Connector

How to integrate with Microsoft Active Directory

+ More

Microsoft Active Directory Connector

Microsoft Active Directory (AD) Connector is part of Native Connectors and it is used for reading and writing data towards/from to customers Active Directory. It can be used for all Matrix42 Core, Pro and IGA solutions which are using Native Connectors.

You can read and write user-, contact-, printer-, computer-, shared folder-, group- and/or organizational unit type of objects to/from Active Directory

AD connector requires configuration according to customers use case, and in principle configuration has three (3) steps:

Configure connector - enables connector to establish connection to the directory
Configure scheduled task - is used when data is read from the directory
Configure event task - is used when data is written to the directory
1. Also workflow orchestration nodes are required to be configured

Fair Usage Policy

The connector may be used without restriction under normal operating conditions. However, if usage results in significantly increased load requiring additional cloud resources (e.g., memory or processing capacity), additional charges may apply.

Using this connector for creating, updating, or removing user accounts or group objects for external systems requires an active IGA license.

Load balancer in front of Active Directory

It is not required to have load balancer in front of Active Directory domain controllers.

When using a load balancer in front of Active Directory domain controllers, the configuration must guarantee that connector traffic is always directed to the same domain controller (session persistence / sticky sessions required).

This is required because the connector relies on a consistent connection context, and routing requests to different domain controllers may lead to inconsistent results and failed operations.

2024.2 and newer version instructions

General functionalities

Connectors - general functionalities

Connectors - general functionalities

In this article are described general functionalities for managing native connectors in solution. All Native Connectors are managed from the same connector management UI.

Notice that there are separate descriptions for each connector, where connector specific functionalities and configuration instructions are described in detailed level.

To be able to access connector management, user needs to have admin level permissions to customers Platform configuration. When accesses are granted correctly, connector tab will be visible and user can manage connectors.

Left menu

Connector management is divided into four tabs:

Overview - for creating and updating Native Connectors. The Admin User can see their status, type and how many scheduled or event tasks are associated with them.
Authentication - for creating and updating authentication tasks. Provisioning task for authentication is needed for Secure Access to be able to define which Customers end-users can access to Matrix42 Core, Pro and IGA login page.
Logs - for downloading Native Connector and Secure Access logs from UI.
Settings - general settings for Native Connectors and Secure Access, including environment type for logging and monitoring.

Connectors overview tab

From overview page, user can easily and quickly see status for all connectors.

Top bar:

Status for Native Connectors (EPE)
- Green text indicates that Native Connectors is online. All the needed services are up and running.
- Red text indicates that there is a problem with Native Connectors, all the services are not running.
Status for Secure Access (ESA)
- Green text indicates that Secure Access is online. All the needed services are up and running.
- Red text indicates that there is a problem with Secure Access, all the services are not running.
Native Connectors version number is displayed in top right corner

Top bar for list view:

New connector - opens new window for adding and configuring new connector
Remove connector(s) - workflow references are calculated and pop-up window appears to confirm removal (notice that calculating references can take several seconds)
Export - Admin can export one or more connectors (and tasks) from the environment. Usually used for exporting connectors and connectors (and tasks) from test to prod. Native connectors secret information is password protected.
Import - Admin can import one or more connectors (and tasks) to the environment. Usually used for importing connectors (and tasks) from test to prod.
- Admin cannot import from old EPE UI (Older than 2024.1) to the new one. Source and target environments must have same version.
- Import will fail if the configuration (templates, attributes) is not the same - for example when some attribute is missing
- If you are importing something with the same connector details, it will be merged under existing connector
Refresh - Admin can refresh connectors view by clicking the button.

List view for overview,

Select connector(s) - Select one connector by clicking check box in front of the connector row or clicking check box in the header row will select all connectors
Id - Automatically generated unique ID of the connector. Cannot be edited or changed.
Status - indicates scheduled task status
- Green check mark - Task is executed without any errors
- Red cross -Task is executed, but there have been error
- Grey clock - Task is not executed yet, waiting for scheduling
- Orange - one of the tasks has a problem
- No value - Scheduled based-task is missing
Name - Connector name added to connector settings. Unique name of the connector holding configuration for one data source
Type - indicates target / source system
Scheduled - informs how many scheduled tasks are configured
Event - informs how many event tasks are configured
Manage
- Pen icon - opens connector settings (double-clicking the connector row, also opens settings)
- Paper icon - copies the connector
- Stop - workflow references are calculated and pop-up window appears to confirm removal
Search - User can search connector by entering the search term in the corresponding field . Id, Status, Name, Type, Scheduled and Event fields can be searched.

Scheduled task information (click arrow front of the connector)

When clicking arrow at the beginning of the connector row, all related scheduled and event tasks are shown

Top bar for scheduled tasks

New task - opens configuration page for new task
Remove task(s) - removes the selected task(s) from the system and they cannot be recovered anymore.
Refresh - refresh scheduled-based tasks view
Search - user can search task by entering the search term in the corresponding field for Id, name, enabled, extract/load status.

List view for scheduled tasks

Select task(s) - Select task to be deleted from the list view by ticking.
Id - Unique ID of the task. Generated automatically and cannot be changed.
Name - Task name added to task settings, unique name of the task.
Enabled - Displays is the task scheduled or not
- Green check mark - Task is scheduled
- Red cross - Task is not scheduled
Extract status - Displays status of data extraction from the target directory/system
- Green check mark - data is extracted successfully
- Red cross - data is extracted with error(s) or extraction is failed
- Clock - Task is waiting execution
Load status - Displays status of data export from json-file to customers solution
- Green check mark - data is imported successfully to customers solution
- Red cross - data is imported with error(s) or import is failed
Manage
- Pen icon - opens task settings in own window (double-clicking the task row also opens task settings)
- Paper icon - copies the task
- Clock icon - opens task history view
- Stop - remove task, pop-up window opens to confirm the removal

Scheduled task history view

By clicking the clock icon in the scheduled task row, history for scheduling will be shown.

Top bar for view history

Refresh - refreshes scheduled task status. This doesn't affect task, this only updates UI to show latest information of task run.

List view for scheduled task history

Color of the row is indicating status
- Green - task executed successfully
- Red - error happened during execution
Execution ID - unique ID for the scheduled task row
Extract planned time - when next extract from the directory/application is scheduled to happen
Extract complete time - when extract was completed
Extract status - status for fetching data from the directory/application
Load start time - when next load to customers solution is scheduled to happen
Load complete time - when load was completed
Load status - status for loading information to customers solution

List view for scheduled task status

Actual start time - timestamp for actual start
Users file - JSON file containing user information read from the directory/application
Group file - JSON file containing group information read from the directory/application
Generic file - JSON file containing generic information read from the directory/application
Extract info - detailed information about reading information from the directory/application
Load info - detailed information about loading the information to customers Matrix42 Core, Pro and IGA solution

Edit window for scheduled task

Configuration for scheduled task can be opened by clicking pen icon or double-clicking the task row.

Left menu and attributes varies according to selected options and therefore more detailed instructions for editing tasks can be found from the connector description, but there are common functionalities for all scheduled tasks which are described below.

Saving the task

In case mandatory information is missing from the task, hoovering mouse on top of the save button will show which attributes are still empty.

Top bar for edit scheduled task

Run task manually - admin can run task manually out side of the defined scheduling
Stop task - admin can stop scheduled-based task which is currently running. Task will be stopped and status is changed to be stopped. It waits in this state until the next timing occurs.
Clear data cache - Data cache for the next provisioning of Users and Groups will be cleared. It means that next run is run as first time run.
- By default, we clear the cache everyday at 00:00 UTC
- If you want to clear the cache at different time, then it has to specify some different value in host file 'custom.properties'.
- EPE Cache is also cleared when EPE is restarted, whole environment is restarted, EPE mappings have been changed

Event task information

When clicking arrow at the beginning of the connector row, all related scheduled and event tasks are shown

Top bar for event tasks

New task - opens configuration page for new event task
Remove task(s) - removes selected task(s), pop-up window appears to confirm the removal
Refresh - refreshes event tasks view
Show workflow references - calculates task related workflow relations and statuses. This is very useful if you don't know from which workflows event-based tasks are used.

List view for event tasks

Select task(s) - Select task to be deleted from the list view by ticking.
Id - Unique ID of the task. Generated automatically and cannot be changed.
Name - Task name added to task settings, unique name of the task.
Workflow relations
- Question mark shows pop-up window with detailed information about the reference
Workflow status
- Not used - No relations to workflow
- In use - Workflow(s) attached to task, task cannot be removed
Manage
- Pen icon - opens task settings in own window
- Paper icon - copies the task
- Stop icon - removes the task, pop-up window appears to confirm the removal

Edit window for event task

Configuration for event task can be opened by clicking pen icon or double-clicking the task row.

Edit event task window

Task usage, editable? - this appears when editing existing task and changing the task usage type will break workflows
Mappings type, editable? - this appears when editing existing task and changing the mappings type will break workflows

Saving the task

In case mandatory information is missing from the task, hovering mouse on top of the save button will show which attributes are still empty.

Authentication tab

Authentication for Matrix42 Core, Pro and IGA solutions are configured from authentication tab, notice that only some of the connectors (directory connectors) are supporting authentication, so its not possible to create authentication tasks to all available connectors.

Top bar for authentication

New connector - opens new window for configuring new connector (notice that not all connectors are supporting authentication)
Remove connector(s) - removes selected task(s), pop-up window appears to confirm the removal
Export - user can export one or more tasks from the environment. Usually used for exporting tasks from test to prod. EPE connectors are password protected.
- Note that Realm for authentication tasks is not exported, you need to set that manually after importing
Import - user can import one or more tasks to the environment. Usually used for importing task from test to prod.
Refresh - refreshes authentication tasks view

List view for authentication overview

Select connector(s) - Select one connector by clicking check box in front of the connector row or clicking check box in the header row will select all connectors
Id - Automatically generated Unique ID of the connector. Cannot be edited or changed.
Name - Connector name added to connector settings. Unique name of the connector holding configuration for one data source
Type - indicates target / source system
Count - informs how many authentication tasks are configured
Manage
- Pen icon - opens authentication task setting in own window
- Paper icon - copies the task
- Stop icon - removes selected task

Authentication task information

When clicking arrow at the beginning of the connector row, all related scheduled and event tasks are shown

Top bar for authentication overview

Create new task - opens configuration page for new authentication task
Remove task(s) - removes selected task(s), pop-up window appears to confirm the removal
Refresh - refreshes authentication tasks view

List view for authentication overview,

Select task(s) - Select task to be deleted from the list view by ticking.
Id - Unique ID of the task. Generated automatically and cannot be changed.
Name - Task name added to task settings, unique name of the task.
Manage
- Pen icon- opens task settings in own window (double-clicking the task row, also opens settings window)
- Paper icon - copies the task
- Stop icon - removes the task, pop-up window appears to confirm the removal

Logs tab

Logs tab is for downloading Native Connector and Secure Access logs from UI for detailed troubleshooting.

epe-master logs - contains warning, debug and error level messages about Native Connectors and info how long task actions has been taken.
epe-worker-ad logs - contains extract data status of Active Directory connector (what Native Connector is loading to to customers Matrix42 Core, Pro and IGA solution). If selection is empty, it means that directory is not in use in this environment.
epe-worker-azure logs - contains extract data status of Entra ID (what Native Connector is loading to to customers Matrix42 Core, Pro and IGA solution). If selection is empty, it means that directory is not in use in this environment.
epe-worker-ldap logs - contains extract data status of LDAP (what Native Connector is loading to to customers Matrix42 Core, Pro and IGA solution). If selection is empty, it means that directory is not in use in this environment.
epe-launcher logs - contains information about EPE launches
datapump-itsm logs - Contains information about data export to customers Matrix42 Core, Pro and IGA solution.
esa logs - Contains information about Secure Access authentication.

Settings tab

Settings tabs is used for monitoring environments with connectors.

Environment type - is mandatory to be in selected and information is used for example defining alert critically.
- Test - select this when your environment is used as testing environment
- Prod - select this when your environment is used as production environment
- Demo - select this when your environment is used as demo or training environment
- Dev - select this when your environment is used as development environment

What we are monitoring?

Failures in scheduled based provisioning (extracting data, exporting data to ESM, outdated certificates, incorrect passwords, incorrect search base/filter, incorrect mappings, etc.)
Failures in event based provisioning (fail to write to AD/Azure, etc.)
Event-based provisioning - which connectors are used for writing data towards applications/directories.
ESA more than ten failed login attempts to one user in past 3 days
Environment type - is mandatory to be in selected and information is used for example defining alert critically.

Data migrations

Do not click “Migrate attribute mappings” or “Migrate workflows”, if not requested to do so by Matrix42.

General guidance for scheduled tasks

How to Create New Scheduled Task to import data

For configuring scheduled-based provisioning task, you will need access to Administration / Connectors tab.

1. Open the Administration area (a cogwheel symbol).

2. Open Connectors view.

3. Choose Connector for Scheduled-based task and select New Task
Note! If connector is not created, you have to choose first New connector and after that New task.

4. Continue with connector specific instructions: Native Connectors

Should I use Incremental, Full or Both?

Scheduled task can be either Incremental or Full -type.

Do not import permissions with AD and LDAP incremental task

Incremental task has issue with permissions importing. At the moment it is recommended not to import group memberships with incremental scheduled task.

On Microsoft Active Directory and OpenLDAP connectors, remove this mapping on incremental task:

Setting on Scheduled tasks:

Incremental type is supported only for Microsoft Active Directory, LDAP and Microsoft Graph API (formerly known as Entra ID) Connectors.

Incremental type means, that Native Connectors (EPE) fetches data from source system, using changed timestamp information, so it fetches only data which is changed or added after previous incremental task run.

When Incremental type task is run for very first time, it does a full fetch (and it marks the current timestamp to EPE database), thereafter, task uses that timestamp to ask the data source for data that changed since that timestamp (and then EPE updates the timestamp to EPE database for next task run). Clearing task cache doesn't affect this timestamp, so Incremental task is always incremental after first run.

Full type is supported for all Connectors.

Full type import fetches always all data (it's configured to fetch) from source system, on every run.

Both Full and Incremental type tasks use also Task cache in EPE, which makes certain imports faster and lighter for M42 system.

By default that task cache is cleared ad midnight UTC time. When cache is cleared, next import after that is run without caching used to reason if data fetched should be pushed to ESM, all fetched data is pushed to ESM. But after that, next task runs until next time cache is cleared, are using EPE cache to determine if fetched data needs to be pushed to ESM or not.

You can configure at what time of day task cache is emptied, by changing global setting in EPE datapump configuration:

/opt/epe/datapump-itsm/config/custom.properties

which is by default set to: clearCacheHours24HourFormat=0

You can also clear cache many times a day, but that needs to be thinked carefully, as it has impact on overall performance as EPE will push changes to ESM, that probably are already there, example(do not add spaces to attribute value): clearCacheHours24HourFormat=6,12

After changing this value, reboot EPE datapump container to take change into use.

Recommendations:

Have always by default Full type scheduled task.

If you want to fetch changes to data fetched already by full task, more frequently than you can run full task, add also incremental task. Usually incremental task is not needed.

Recommended Scheduling Sequence

Recommended scheduling sequence, depends how much data is read from Customers system/directory to the Matrix42 Core, Pro or IGA solution and is import Incremental or Full.

Examples for scheduling,

Total amount of users	Total amount of groups	Full load sequence	Incremental load sequence
< 500	< 1000	Every 30 minutes if partial load is not used Four (4) times a day if partial load is used	Every 10 minutes
< 2000	< 2000	Every 60 minutes, if partial load is not used Four (4) times a day if partial load is used	Every 15 minutes
< 5000	< 3000	Every four (4) hours, if partial load is not used Twice a day if partial load is used	Every 15 minutes
< 10 000	< 5000	Maximum imports twice a day, no matter if partial load is or is not used	Every 30 minutes
< 50 000	< 7000	Maximum import once a day, no matter if partial load is or is not used	Every 60 minutes
Over 50 000	Over 7000	There might be a need for another EPE-worker, please contact Product Owner	Separately evaluated

Please note that if there are several tasks running at the same time you may need more EPE-workers. The tasks should be scheduled at different times and can be completed according to the table above. However, if there are more than 6 tasks running at the same time, the number of epeworkers should be increased. It's best practice not to schedule tasks to run at same time, if possible.

Recommendations related to performance
If the amount fo data to be imported is over 10000 concider these things:
Adjust log level of ESM and DATAPUMP to ERROR-level, to lowe the amount of logging during task run
Have as few as possible automations starting immediately for imported datacards (listeners, handlers, workflows), as those make ESM to take longer time handling new datacards.

Set removed accounts and entitlements status removed/disabled

With this functionality, you can mark account and entitlement status to e.g. Deleted or Disabled, when account or entitlement is removed from source system. Starting from version 2025.3 you can also set status to generic objects (not only to accounts/identities and entitlements/groups).

For version 2025.3 and newer

In version 2025.3 these settings are moved from properties files to Task UI. Also you can now set these settings for Generic objects, which have not been possible before this version.

There is separate configuration for each scheduled task, and for all mapping types. Here is example of this config on task:

For version 2025.2 and older

This functionality is available for “full” type scheduled tasks.

Settings are on datapump dockers configuration file. To change those parameter values, you need to set those in /opt/epe/datapump-itsm/config/custom.properties file.

Configuration

To enable disabling functionality, datapump config should have these parameters set to true:

disable.unknown.esm.users=true
disable.unknown.esm.groups=true

Those 2 parameters are false by default in 2024.2 and 2025.1 versions. In 2025.2 and newer version those are true by default.

Next are these parameters:

personTemplateStatusCodeAttributeKey=accountStatus
personTemplateStatusAttributeDisabledValueKey=Deleted
groupTemplateStatusCodeAttributeKey=status
groupTemplateStatusAttributeDisabledValueKey=5 - Removed

First two attributes should point to the DatacardHiddenState attribute in the User template, and tell which value should be send there when the user is deleted.

By default its accountStatus and Value 5 - Removed on IGA Account template.

All these needs to match with the attribute configuration:

Same thing applies for the next two paramaters, but its for Groups.'

If you need to change those parameters in properties file, do changes in Datapump container to file: /opt/epe/datapump-itsm/config/custom.properties and those changes will then survive over container reboot and will be copied on reboot to /opt/epe/datapump-itsm/config/application.properties.

Description

Tasks save their __taskid__ shown as Task Id mapping in the UI to the datacards, its then used to determine if the datacard was added by this task. In case there are multiple tasks with different sets of users.

This field was previously used as datasourceid, but since we moved to the model where connector can have multiple tasks its identifier cannot be used anymore, thats why the field was repurposed as taskid instead.

Taking users as an example, when task runs ESM is asked for the list of users that have its taskid in Task Id mapping field, and doesn't have a personTemplateStatusAttributeDisabledValueKey value in the personTemplateStatusCodeAttributeKey

This result is then compared to what the task fetched, and the datacards of users that were not fetched have their personTemplateStatusattribute set to value specified in the config - 5 - Removedby default.

Example log below shows described process and informs that one user was removed.

Same thing applies to groups but groupTemplateStatusattributes are used instead.

Notes

Feature works only with full fetch scheduled tasks..
No support for generic templates yet, only identity and access
When migrating from the previous versions where datasourceid was still used it needs to run at least once to set its taskid’s in the datacards first.
EPE identifies Disabled users or groups as the ones that were removed from the AD, at the present we do not support statuses related to the entity beign active or not.
EPE does not enable users back on its own.
If more than one tasks fetches the same users or groups it may overwrite the taskid in the datacard depending on which task ran last. It is suggested that many full type tasks are not fetching same user or group.
Always do configuration file changes to custom.properties, do not change only application.properties as those changes are lost on container reboot if you have not done same changes to custom.properties.

Customer instructions

Customer instructions can be found from here.

Configure AD connector

In this chapter is described configuration instructions for AD connector to be able connect to customers Active Directory (AD).

For accessing connector management, user needs to have permissions to Efecte Platform configuration.

1. Open the Efecte administration area (a gear symbol).
2. Open connectors view.
3. Choose new connector

4. Select Data Source type to be Microsoft Active Directory

5. Fulfill information related to customers AD

Connector name - give your connector a friendly name (name can be changed afterwards)
AD host - host address which will be used connecting to customers AD
AD port - port number which will be used connecting to customer AD
AD username - service account name which is used for reading and writing data to/from customers AD
AD password - password for the service account

6. Fulfill WebAPI user information

WebAPI user - select correct WebAPI user which is used when writing data from customers AD to customers Efecte solution
WebAPI password - password for the WebAPI user

7. Save connector information

Press test connection to validate that port and host information is set correctly
Press test authentication to validate that AD user and password (service account) information is set correctly

8. Customers Efecte solution is now able to connect to customers AD

Next step is to configure scheduled task for data read or event task for data writing.

Configure scheduled task for reading data

AD connector is used for to read user and group information from Customers AD and it is configured from Efecte platform by creating scheduled-based task.

How to create new task for Scheduled Provisioning

For configuring scheduled-based task, you will need access to Efecte Platform configuration console.

Note! If connector is not created, you have to create first “new connector” and after that you are able to create new tasks.

1. Open the Efecte administration area (a gear symbol).
2. Open connectors view.
3. Choose connector for which scheduled-based task is configured
4. Select new task under the correct connector

4. Define scheduling for the task (if and how scheduled task should be run periodically). Choose scheduling sequence, which depends how much data is read to customers Efecte solution.

Recommended scheduling sequence, depends how much data is read from customers directory to the Efecte solution and is import partial or full load.

Example scheduling for reading groups and user accounts.

Total amount of users	Total amount of groups	Full load sequence	Partial load sequence
< 500	< 1000	Every 30 minutes if partial load is not used Four (4) times a day if partial load is used	Every 10 minutes
< 2000	< 2000	Every 60 minutes, if partial load is not used Four (4) times a day if partial load is used	Every 15 minutes
< 5000	< 3000	Every four (4) hours, if partial load is not used Twice a day if partial load is used	Every 15 minutes
< 10 000	< 5000	Maximum imports twice a day, no matter if partial load is or is not used	Every 30 minutes
< 50 000	< 7000	Maximum import once a day, no matter if partial load is or is not used	Every 60 minutes
Over 50 000	Over 7000	There might be a need for another EPE-worker, please contact Product Owner	Separately evaluated

5. Fill in Task Details

Fill in unique task name for the scheduled-based task, notice that name cannot be changed afterwards.
Task usage indicated that is the task used for reading data, writing data or to authentication. Note that If event type is changed afterwards it can break the workflows.
Mappings type depends what type of information is read from the directory
- Identity and access rights - are used when user account and group information is read from the directory
- Single (identity only) - are used when only user account information is read from the directory
- Single (access right only) - are used when only group information is read from the directory
- Generic (one template) - are used when a generic information is read from the directory, usually other than Users/Groups

Fill in filtering details,

Fetch data
- Full - all information is read according to defined filtering
- Incremental - only changed information is delivered to Efecte solution
Fetch data from the LDAP tree root - Optional setting. Makes it possible to fetch the Users and Groups from the LDAP Tree Root in trade of provisioning speed
If you have set this on, and it's not working, find this text from worker log:
Caused by: javax.naming.CommunicationException:
After it you should see name of server, for example:
Caused by: javax.naming.CommunicationException: dev.master.efecte.com
It means AD Native Connector worker is unable to fetch data through AD Context Referrals. It can't resolved that host in DNS.
To fix this situation, you need to ask M42 to add that server name and it's ip-address to dns/hosts file.

Filtering based on OU

Filter name: LDAP userBase / LDAP userFilter

This filter is commonly set with the OU-path, where users are read from and it also includes all sub-OUs in the import, but it also enables several other filtering possibilities,

Examples of other commonly used user filter examples:

The following example finds User-objects: (&(objectCategory=person)(objectClass=user))
The following example finds user-, computer- and contact-objects: (objectClass=person)
The following example finds user- and contact-objects: (objectCategory=person)
The following example finds all enabled user-objects: (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
The following example finds user- and contact-object that have an email and SAMAccountName (&(objectCategory=person)(sAMAccountName=*)(mail=*))

Filtering OU, where users are read from

Filter name: AD ignoreOusForUsers

With this filter, it is possible to exclude some of the sub-OUs from the import (like for example OU=Sales,DC=adtest,DC=local). Users will be ignored, if they exist directly in one of defined <OU> and/or if they exist in a sub-tree of one of the defined OUs.

Filtering based on single users

Filter name: Excluded Users

With this filter it is possible to exclude specific users from the import. For ldap use Distinguished Names of the Groups to exclude (separated by newlines).

Filtering groups

Filter name: AD groupBase / AD groupFilter

This filter is commonly set to the OU-path, where groups are read from. All sub-OUs will be included in the import (example: OU=Finance,DC=adtest,DC=local). Users will be ignored, if they exist directly in one of defined <OU> and also they exist in subtree of one of the already defined <OU>.

Examples of other commonly used group filters:

The following example finds group-objects:
(objectCategory=group)
The following example finds group-objects that has value in cn:
(&(objectCategory=group)(cn=*))
The following example finds group-objects that have value in their description:
(&(objectCategory=group)(description=*))
The following example finds all security group-objects:
(groupType:1.2.840.113556.1.4.803:=2147483648)

Filtering OU's, where groups are not read from

Filter name: AD ingnoredOusForGroup

Filtering single groups

Filter name: Excluded Groups

With this filter it is possible to exclude specific groups from the import. For ldap use Distinguished Names of the Groups to exclude (separated by newlines).

Filtering users based on group-memberships

Filter name: Exclude Users with specific groups

With this filter it is possible to exclude specific users from the import based on group memberships. For ldap use Distinguished Names of the Groups to exclude (separated by newlines). For Azure-based tasks, put Object IDs of the Groups to exclude (separated by newlines)

Fill in failure information

Optional settings for failure handling, if scheduled task fails it can create data card that displays the error. If failure settings are defined, the administrator does not need to manually check the status of scheduled tasks.

Failure template - Select a Template of datacard which will be created in case of any errors during provisioning (connection to data sources, timeouts,etc.)
Failure folder - Select folder where failure data card is stored.
Failure attribute - Select an attribute where in the Failure Template should the error information be stored in. Select text type attribute.

Example of IGA admin task, which also can contain instructions how to solve the issues,

6. Fill in Identity Mappings

Users are imported to IGA Account template and it is mandatory to set Target folder, datasourceid and unique values which are used for identifying users between customers AD and Efecte solution. For example.

Target template - Select a template to define attribute mappings
Select a template to define attribute mappings
Target folder - Select a folder from a list of folders. The list is narrowed down to match compatibility with selected Template.

Data Source Type mapping - optional. If it is set, it writes connectors type to that attribute.
Task Id mapping - Task id number is written to this attribute.
Set value to datacard fo object deleted from source system - This functionality is activated by setting checkbox on. When someobject that was previously read from 3rd party system to solution is deleted from 3rd party system (meaning this task query doesn't return it anymore). This scheduled task notices thatis was deleted and marks that datacard selected attribute with value you want. This can be for example used to set Status attribute to Deleted (as shown in below example screenshot). This functionality functions only for task type Full not for Incremental.

Attribute mappings
1. External attribute - which attribute from the directory/system is mapped
2. Local attribute - to which attribute in template attribute is mapped to

7. It is possible to set additional attributes, which are read from user accounts in AD, by choosing New attribute

Delete

Notice

IGA Account template is designed for Efecte Provisioning Engine and by using it Customers environment is configuration correctly and Customer will get all benefits from the component.

Important information (name and identifying attributes) from the users AD account is shown in Person template, but mainly information is available in IGA Account template.

Reading user information straight to Person template is not recommended and there might be need for extra configuration in the future time, when Customers environment is updated to newer version or Customer wants to expand their platform with new Efecte solutions.

It is recommended to read users straight to Person template if Customer is using only Efecte Identity Management (EIM) for authentication.

8. Fill in Access Rights Mappings

Groups are read to IGA Entitlement template and it is mandatory to set target folder, datasourceid and unique values which are used for identifying users between customers AD and Efecte solution.

Target template - Select a template to define attribute mappings
Select a template to define attribute mappings
Target folder - Select a folder from a list of folders. The list is narrowed down to match compatibility with selected Template.

Data Source Type mapping - optional. If it is set, it writes connectors type to that attribute.
Task Id mapping - Task id number is written to this attribute.
Set value to datacard fo object deleted from source system - This functionality is activated by setting checkbox on. When someobject that was previously read from 3rd party system to solution is deleted from 3rd party system (meaning this task query doesn't return it anymore). This scheduled task notices thatis was deleted and marks that datacard selected attribute with value you want. This can be for example used to set Status attribute to Deleted (as shown in below example screenshot). This functionality functions only for task type Full not for Incremental.

Attribute mappings
1. External attribute - which attribute from the directory/system is mapped
2. Local attribute - to which attribute in template attribute is mapped to
It is possible to set additional attributes, which are read from user accounts in directory, by choosing New attribute

If you want to fetch permissions (user-group and/or group-group) information with Incremental-type task, you should have following mappings on Access Rights Mappings -table.

External attribute	What data it contains	Recommended Local attribute
member Note! You need to always have this member mapping if you want to have users or groups mappings!	Users and groups which are member of this group	Attribute should be multivalue string
users	Users which are member of this group	Attribute should be multivalue string or multivalue reference
groups	Groups which are member of this group	Attribute should be multivalue string or multivalue reference

Note: If you are using Full-type task, and you just want to import memberof information for users, it is recommended to do that on Identity mappings, using memberOf External attribute mapping.

9. Mappings for generic template

Generic data are read to any template user want's and it is mandatory to set target folder, datasourceid and unique values which are used for identifying data between customers AD and Efecte solution.

Target template - Select a template to define attribute mappings
Select a template to define attribute mappings
Target folder - Select a folder from a list of folders. The list is narrowed down to match compatibility with selected Template.

Data Source Type mapping - optional. If it is set, it writes connectors type to that attribute.
Task Id mapping - Task id number is written to this attribute.
Set value to datacard fo object deleted from source system - This functionality is activated by setting checkbox on. When someobject that was previously read from 3rd party system to solution is deleted from 3rd party system (meaning this task query doesn't return it anymore). This scheduled task notices thatis was deleted and marks that datacard selected attribute with value you want. This can be for example used to set Status attribute to Deleted (as shown in below example screenshot). This functionality functions only for task type Full not for Incremental.

Attribute mappings
1. External attribute - which attribute from the directory/system is mapped
2. Local attribute - to which attribute in template attribute is mapped to
It is possible to set additional attributes, which are read from user accounts in AD, by choosing New attribute button.

Delete

Notice

IGA Entitlement template is designed for Efecte Provisioning Engine and by using it customers environment is configured correctly and customer will get all benefits from the component.

AD-group template is not needed for Efecte Provisioning Engine, but before removing it make sure that mandatory auditing details are stored.

Reading group information straight to AD-Group template is not recommended and there might be need for extra configuration in the future time, when Customers environment is updated to newer version or Customer wants to expand their platform with new Efecte solutions.

It is recommended to read groups straight to AD-group template if Customer is using only Efecte Identity Management (EIM) for authentication.

11. Save provisioning task from the Save button. If some required attributes are missing the save button is displayed as grey and it will display what is missing from the settings.

12. You have now configured scheduled-based connector task for AD data read.

You can now wait until task is started based on scheduling or
Run task manually - by clicking the “Run Task” button task starts immediately. Usually for test runs or if you don't want to change the schedule settings, but want to run the task now.

When clicking “Run Task”, user is informed about the run

If task is executed manually (run task) or it is run according to scheduling, task status can be reviewed from "View history":

Configure event task for writing data

Event task is used when writing data towards customers Active Directory. These Provisioning Engine capabilities related to accounts, groups and permissions are available only for IGA solution and IGA license is required if these are used.

All configuration related to Provisioning Engine and event-based provisioning task are configured in Matrix42 Core, Pro and IGA platform.

Open the Efecte Platform configuration view (a gear symbol).
Open connectors view
Choose connector, which will use the event task
Select “new task” under correct connector

4. Fill in Task Details

Task name - Give name name for the task, it will be displayed in connectors view.
- It is good practice to name a task in a way that describes its purpose for example [Template name]:[Activity] IGA Service request:Verify user
Task usage indicated that is the task used for reading data or writing data. Can be changed afterwards, but it's not recommended if event task is in use. It will break workflows.
Mappings type depends what type of information is read from the directory, identity mappings selections are displayed based on this setting.
- Identity and access rights - are used when user account and group information is read from (or write to) the directory
- Single (identity only) - is used when only user account information is read from (or write to) the directory
- Single (access right only) - is used when only group information is read from (or write to) the directory
- Generic (one template) - is used when generic information is read from (or write to) the directory. Usually some other data than user or group information.

Warning about changing task usage or mappings type when event task in use. Usually you should not change those after you have done first save:

5. Fill in Security Information

This information is needed if user creation process in workflow is attached to the task.

Password for first login - Default password that is the same for all users, random password is generated in workflow, and it's usually unique.
- Default password / type in the box below
  - Default password - Type default password that is same for all users and matches to directory requirements for the password. Note that number of characters doesn't represent actual length of the password
  - Not recommended in production environments to have same password for all new accounts
- Random password / generate in the workflow
  - Generated password

Filtering

When data is written to customer directory, filtering is needed for the connector to know to which OU's information is written.

Filtering OU's where users are written

Filter name: AD userBase / AD userFilter mode selection

Read OU path from the data card - connector reads from
Type search base / search filter in the box below
- AD userBase / AD userFilter - examples here
- AD ignored OusForUser - examples here

Filter name: AD groupBase / AD groupFilter mode selection

Read OU path from the data card - connector reads from
Type search base / search filter in the box below
- AD groupBase / AD userFilter - examples here
- AD ignored OusForGroup - examples here

Filtering generic template mappings type information

Filter name: AD searchBase / AD searchFilter - example here

6. Define identity mappings

Target template - Select a template to define attribute mappings
Select a template to define attribute mappings
Target folder - Select a folder from a list of folders. The list is narrowed down to match compatibility with selected Template.
Attribute mappings
1. External attribute - which attribute from the directory/system is mapped
2. Local attribute - to which attribute in template attribute is mapped to
Add new attribute - It is possible to set additional attributes, which are read from user accounts in AD, by choosing New attribute button.

7. Define Access Rights mappings

Target template - Select a template to define access rights mappings
Select a template to define attribute mappings
Target folder - Select a folder from a list of folders. The list is narrowed down to match compatibility with selected Template.
Attribute mappings
1. External attribute - which attribute from the directory/system is mapped
2. Local attribute - to which attribute in template attribute is mapped to
Add new attribute - It is possible to set additional attributes, which are read from groups in AD, by choosing New attribute button.

8. Define generic mappings

Target template - Select a template to define attribute mappings
Select a template to define attribute mappings
Target folder - Select a folder from a list of folders. The list is narrowed down to match compatibility with selected Template.
Attribute mappings
1. External attribute - which attribute from the directory/system is mapped
2. Local attribute - to which attribute in template attribute is mapped to
Add new attribute - It is possible to set additional attributes, which are read from AD, by choosing New attribute button.

8. Save provisioning task from “save” button

If any mandatory information is missing, you are not able to save the task and save button will show missing information.

9. The next step is to configure the workflow Orchestration node to use this event-based task. From workflow engine, it is possible to execute provisioning activities towards customer directory services. This means that any of the available orchestration nodes activity can be run at any point of the workflow.

Workflow references are shown in the connector overview page:

Configure authentication task

Authentication task is needed when customers AD is used for authenticating users to customers Efecte solutions.

There are two options to create a new authentication task. Option one is to copy existing provisioning task into authentication task, if authentication method is using same settings. Option two is to create new authentication task.

Option 1: Create new Authentication task from provisioning task

1. Open the Administration area (gear symbol)
2. Choose Connectors tab, copy desired task from Clone button

3. Give name for the new authentication task and change task usage to be authentication

4. Fill in the required fields and save the task

Option 2: Create new Authentication task

1. Open the Administration area (gear symbol)
2. Choose Connectors module
3. Choose Authentication tab
4. Choose connector and Create New Task

5. Give name to your authentication task

6. Select task usage to be authentication

7. Define filters for users

Most commonly for AD authentication OU-paths are used for defining who can access to Efecte solutions

8. Define filters for groups

From where needed groups can be read to Efecte solution from the customers AD

7. Select Authentication realm.

Realm for which authentication configuration will be created in ESA

8. Save task and run ESA Sync

Syncing information will automatically fulfill configuration in Efecte Secure Access

9. Next step is to move to Efecte Secure Access configuration instructions according to required authentication method.

Workflow activities (orchestration nodes)

The Efecte Provisioning Engine (EPE) provides the possibilities to orchestrate the following activities to Microsoft Active Directory.

Activate / Deactive User

In the illustration above admins has chosen the correct Active Directory “Target” and are able to view the Identity Mappings which are configured for selected AD tasks. In this orchestration view admins are not allowed to change any mappings, those are presented only as a visual aid. If any changes to the mappings are needed, those needs must be execute in the Provisioning task configuration view.

Inside this same node, administrators are able to choose the action what they are prefer to use “Activate” or “Deactivate”. Active Directory: ‘Activating/Deactivating’ functionality here refers to setting 'useraccountcontrol’ Active Directory attribute to ‘512/514’ value (Enable/Disable)

Provisioning exception is an optional property on this workflow node. Admins can configure this property in use where exceptions can be written if any exceptions exists during the provisioning actions.

Add User to Group

In the illustration above, the Person attribute configuration should point to the template where the orchestration node finds the user’s data (usually IGA account). The Role attribute needs to be configured to define where the orchestration node finds the available roles (directory groups where the user should be removed). There might be single or multiple attribute groups configured in a “Role attribute”. The list of available registered directory Tasks is fetched from the EPE-master.

It is required to select the directory Task, because the Efecte Provisioning Engine orchestration node will use identity and access rights fields mapping to know, under which attribute code, the user’s and directory group distinguished names are stored.

Person attribute expects an attribute containing users AD accounts Distinguished Name(DN).

Exception handling:

The result of a node will be in the “Completed” state only in the case when all user’s group memberships will be updated successfully. In the case when, for example, the user will be successfully removed from 5 out of 6 groups then the result of a node will be in the “Exception” state.
Hence the mapping for distinguishedName JSON field, for both Identity and Access Right is required. If mapping won’t be found then the orchestration node will result in an “Exception” state.
The attempt to remove a user from a group which they do not belong will end as a failure.
The attempt to add a user to a group to which he already belongs will end as a failure.
Details about successfully/unsuccessful updated user’s group membership can be found in logs.
Provisioning and group membership exceptions are optional properties on this workflow node. Admins can configure this properties in use where exceptions can be written if any exceptions exists during the provisioning actions.

Create custom object

In the illustration above, the Identity Attribute Mappings are populated from Provisioning tasks. Admin has chosen the correct Directory AD as “Target” and is able to view the Identity Mappings which are configured for selected directory tasks. In this orchestration view admins are not allowed to change any mappings, those are presented as a visual aid. If any changes to the mappings are needed, those needs must be execute in the Provisioning task configuration view.

The creating new custom object orchestration node read attributes from Data Cards in question and execute LDAP command to Active Directory. It is important to be sure, that Identity Mapping, being used in Create custom object orchestration node.

Create user

In the illustration above, the Identity Attribute Mappings are populated from Provisioning tasks. Admins choose the correct Directory “Target” and are able to view the Identity Mappings which are configured for selected directory tasks. In this orchestration view admins are not allowed to change any mappings, those are presented as a visual aid. If any changes to the mappings are needed, those needs must be execute in the Provisioning task configuration view.

The creating new user orchestration node read attributes from Data Cards in question and execute LDAP command to Active Directory. It is important to be sure, that Identity Mapping, being used in Create User orchestration node, contains at least two additional Active Directory mappings: for “cn” and “sAMAccountName” attributes. If those two mappings are missing on a given configuration, it will not be presented on a dropdown.

Creating new user activity notes:

There are two ways to create the password for a new user for their first login.
- Define “Default” password in the Provisioning Task -configuration view
  - That password will only be used by users, when they login into the system for the first time
- Generating random password in the workflow and select into which attribute on Identity Mapping data-card it was written to
- In both cases the first time password “pwdLastSet” value is set to zero (0) to force a user to change their password after the first login
- Possibility to choose if the password must change at the first login or not. Administrators can make the selection for this directly from the workflow User Creation orchestration node.
There are different ways to provide password for the first login for the end-user. Depending on customers needs it is possible to use workflow functionalities to send the password directly to the end user via email or sms. Another option is to send the password for first login to the manager, who will provide it for the end-user. EPE’s Orchestration node itself DO NOT provide that functionality, it needs to be defined elsewhere.
The configuration of “Target” is done in the provisioning task configuration view. For creating new users, admins needs to make sure that there exists only one LDAP userbase / LDAP userfilter in order to avoid conflicts on the workflow
Provisioning exception is an optional property on this workflow node. Admins can configure this property in use where exceptions can be written if any exceptions exists during the provisioning actions.

Create Group

In the illustration above, the Access Rights Attribute Mappings are populated from Provisioning tasks. Admins choose the correct Active Directory “Target” and are able to view the Access Rights Mappings which are configured for selected AD tasks. In this orchestration view admins are not allowed to change any mappings, those are presented as a visual aid. If any changes to the mappings are needed, those needs must be execute in the Provisioning task configuration view.

The creating new user orchestration node read attributes from Data Cards in question and execute LDAP command to Active Directory.

It is important to be sure, that Access Rights Mapping, being used in Create Group orchestration node, contains at least two additional Active Directory mappings: for “cn” and “sAMAccountName” attributes.

Delete custom object

In the illustration above Object name attribute defines what object EPE is deleting. In this example EPE is deleting DN.

Delete Group

In the illustration above administrators can choose the correct Active Directory “Target”. The delete group orchestration node read attributes from Data Cards in question and execute LDAP command to Active Directory. For Active Directory-based configurations, 'Role group attribute' should contain group’s distinguishedName name.

Delete User

In the illustration above administrators can choose the correct Active Directory “Target”. The delete user orchestration node read attributes from Data Cards in question and execute LDAP command to Active Directory. For Active Directory-based configurations, 'Person Attribute' should contain User's distinguishedName name.

Person attribute expects an attribute containing users AD accounts Distinguished Name(DN).

Manage ProxyAddresses

There are three different possibilities: Set, Update and Remove proxyaddresses.

Set: admin selects one attribute in ESM's Workflow UI (can be single or multivalue attribute) - Then Workflow Node, contacts AD, finds user account and set's the value into proxyAddresses (this action is used to set the value to proxyAddresses the first time - previous value in AD is null).

Update: admin selects two attributes in ESM's Workflow UI - one for CURRENT value, and the other - the NEW value. Then Workflow Node, contacts AD, finds user account and updates the existing proxyAddresses, finds the CURRENT value in the list, and changes its prefix from: SMTP: to smtp: - and adds NEW value with prefix SMTP: (the other values remain in proxyAddresses).

On update action, use single value attributes both for current address, and address to be updated, like this:

Remove: admin selects one attribute in ESM's Workflow UI (can be single or multivalue attribute) - Then Workflow Node, contacts AD, finds user account and removes the value from proxyAddresses list (the other values remain in proxyAddresses).

Read User's data

In the illustration above, the Identity Attribute Mappings are populated from Provisioning tasks. Admins choose the correct Active Directory “Target” and are able to view the Mappings which are configured for selected AD tasks. In this orchestration view admins are not allowed to change any mappings, those are presented as a visual aid. If any changes to the mappings are needed, those needs must be execute in the Provisioning task configuration view.

Person attribute expects an attribute containing users AD accounts Distinguished Name(DN).

Remove User Attribute

In the illustration above administrators can choose the correct Active Directory “Target”. The remove user attribute orchestration node read attributes from Data Cards in question and execute LDAP command to Active Directory. In the property “Attribute(s) to remove” administrator can define the attribute, which will be removed from selected user on the Active Directory. NAME what you want to remove. On string can contain multi value attributes. like "City, CostCenter, mobile".

Person attribute expects an attribute containing users AD accounts Distinguished Name(DN).

Remove User from Group

Person attribute expects an attribute containing users AD accounts Distinguished Name(DN).

Reset User Password

In the illustration above administrators can choose the correct Active Directory “Target”. The Reset user password orchestration node read attributes from Data Cards in question and execute LDAP command to Active Directory. The Person and Password attributes should point to the template where the orchestration node finds the user’s data.

User password value “pwdLastSet” is set to zero (1), which means that a user doesn’t need to change their password in the first login. From the EPE version 2022.3 forward we have implemented possibility to choose if the password must change at the first login or not. Administrators can make the selection for this directly from the workflow Reset User password orchestration node.

Person attribute expects an attribute containing users AD accounts Distinguished Name(DN).

Run provisioning task

This activity is used when all information from the directory is immediately needed back.

In the illustration above administrators can choose the correct Directory “Target”. Run provisioning task orchestration node read attributes from Active Directory to IGA Accounts.

Requirements for the "Target" EPEtask are:

Task must be of type "Schedulable task" not event-based
Workflow's Template must be the same as Identity mapping Template
Task must be scheduled at some time - it marks a task to be "enabled" then
Mappings must be distinct, no duplicated mappings in the task

In this orchestration view you are not allowed to change any mappings, those are presented only as a visual aid. If there are needs to change the attribute mappings, those attributes must be defined in the provisioning task configuration view, in order them to be changed in the orchestration node.

Unlock User

In the illustration above administrators can choose the correct Active Directory “Target”. The unlock user orchestration node read attributes from Data Cards in question and execute LDAP command to Active Directory.

It’s important to take into account in the configurations, that 'Person Attribute' should contain User's distinguishedName name.

Person attribute expects an attribute containing users AD accounts Distinguished Name(DN).

Update Custom Object

In the illustration above administrators can choose the correct Active Directory “Target”. Custom object class defines what object EPE is updating, in this example is Contact, it reads attributes from Data Cards in question and execute LDAP command to Active Directory.

Update group

In this orchestration view admins are not allowed to change any mappings, those are presented only as a visual aid. If any changes to the mappings are needed, those needs must be execute in the Provisioning task configuration view.

The update group orchestration node read attributes from Data Cards in question and execute LDAP command to Active Directory.

The configuration of “Target” is done in the provisioning task configuration view. For updating groups, admins needs to make sure that there exists only one LDAP groupbase / LDAP groupfilter in order to avoid conflicts on the workflow.

Update User

In the illustration above, the Identity Attribute Mappings are populated from Provisioning tasks. Admins choose the correct Active Directory “Target” and are able to view the Identity Mappings which are configured for selected AD tasks. The update user orchestration node read attributes from Data Cards in question and execute LDAP command to Active Directory.

Note that User password update is not supported on this orchestration activity.

The configuration of “Target” is done in the provisioning task configuration view. For updating users, admins needs to make sure that there exists only one LDAP userbase / LDAP userfilter in order to avoid conflicts on the workflow.

Update User Distinguished Name value

In the illustration above administrators can choose the correct Active Directory “Target”. The Update user Distinguished Name Value orchestration node read attributes from Data Cards in question and execute LDAP command to Active Directory.

In the field “Current Distinguished Name Value*” admin must select, from which attribute on given template/data-card, ‘old’ name of AD location will be read. Field “New Distinguished Name Value* selects attribute from given template/data-card, which will be used as a name of new AD location.

With This activity admins are able for example to limit update action to ‘commonname’ attribute, but It’s required to give whole Distinguished value, example:

Current Distinguished Name Value: CN=DemoAccount,OU=DemoUsers,DC=testad,DC=local

New Distinguished Name Value: CN= DemoAccount,OU=OldDemoUsers,DC=testad,DC=local

Verify Group

In the illustration above, the Access Rights Attribute Mappings are populated from the Provisioning tasks. Administrators choose the correct Active Directory from “Target” and are able to view what Access Rights Mappings are configured for the selected AD task.

Within the Access Rights Mappings admins panel, admins are able to provide “IF” expression, which will form a LDAP query to verify if the group exists. It’s possible to select as many attributes from the Data Card as needed to confirm the uniqueness of a group. When an action takes place, those attributes will be read from the Data Card in question and will be compared to the appropriate AD attributes according to the “Target*“ Active Directory configuration. Admins can also choose to use “equal” or “not equal” to corresponding AD attribute by changing the “IF” expression. The “Save result*” field is used to define where the successful LDAP query results are saved, “true” if group was found or “false” otherwise.

Administrators has possibility to “check” Include OU subtree -property on this orchestration node to verify if group exists in the defined Organization Unit -subtree. If this administrator doesn’t select this option, orchestration node will only check the specific OU defined in the configuration.

Verify Group Membership

The “Save result*” field is used to define where the successful LDAP query results are saved, “true” if user was found or “false” otherwise.

Verify User

In the illustration above, the Identity Attribute Mappings are populated from the Provisioning tasks. Administrators choose the correct Active Directory from “Target” and are able to view what Identity Mappings are configured for the selected AD task. In this orchestration view you are not allowed to change any mappings, those are presented only as a visual aid. If there are needs to change the attribute mappings, those attributes must be defined in the provisioning task configuration view, in order them to be changed in the orchestration node.

Within the Identity Mappings admins panel, admins are able to provide “IF” expression, which will form a LDAP query to verify if the user exists. It’s possible to select as many attributes from the Person Data Card as needed to confirm the uniqueness of a user. When an action takes place, those attributes will be read from the Data Card in question and will be compared to the appropriate AD attributes according to the “Target*“ Active Directory configuration. Admins can also choose to use “equal” or “not equal” to corresponding AD attribute by changing the “IF” expression. The “Save result*” field is used to define where the successful LDAP query results are saved, “true” if user was found or “false” otherwise.

Key point to understand this node's mechanics is - while forming IF expression, admin needs to use Template's attributes, but in fact, values read from them, will be translated (mapped) to proper Active Directory attributes, according to Identity Mapping configuration and will be passed to Active Directory as a search query.

Administrators has possibility to “check” Include OU subtree -property on this orchestration node to verify if user exists in the defined Organization Unit -subtree. If this administrator doesn’t select this option, orchestration node will only check the specific OU defined in the configuration.

Provision picture

Provision user photo to Directory

Native Connectors (EPE) has capability to update user photo to directory. Supported directories are Active directory and Microsoft Entra ID (previously known as Azure AD).

Create new Event-based provisioning for the workflow activity. Attribute mappings are populated from Provisioning task.

Attribute mapping must contain user photo attribute (Fileupload attribute in ESM).
For the AD and Azure AD attribute is thumbnailPhoto. The photo stored in the thumbnailPhoto attribute cannot be bigger than 100 kB, and the recommended size is 96 x 96 pixels.
Create new workflow orchestration node with activity Update user. Select just created event-based epetask to be target.

Instructions for Install certificates

It is highly recommended that Customer is instructed to create process for renewing certificates before they get old and connection is lost. This will mean that Customers end-users are not able to login Efecte Solutions and / or data from AD cannot be read or written.

Instructions

Troubleshooting

In this chapter are described troubleshooting options,

In case failure template is used, check correct data card
Check scheduled task history from connector management
Check Efecte Provisioning Engine logs

ad integration directory connector active directory ad native connector

Table of Contents

Contact Us

Microsoft Active Directory (AD) Connector

Contact Us

Service Management

Identity Governance and Administration (IGA)

Platform

Release Notes for M42 Professional, IGA, Conversational AI

Other Material

Services

Microsoft Active Directory (AD) Connector

How to integrate with Microsoft Active Directory

Microsoft Active Directory Connector

Fair Usage Policy

Load balancer in front of Active Directory

2024.2 and newer version instructions

General functionalities

Connectors - general functionalities

General guidance for scheduled tasks

General guidance for scheduled tasks

How to Create New Scheduled Task to import data

For configuring scheduled-based provisioning task, you will need access to Administration / Connectors tab.

Should I use Incremental, Full or Both?

Do not import permissions with AD and LDAP incremental task

Recommendations:

Recommended Scheduling Sequence

Recommended scheduling sequence, depends how much data is read from Customers system/directory to the Matrix42 Core, Pro or IGA solution and is import Incremental or Full.

Set removed accounts and entitlements status removed/disabled

For version 2025.3 and newer

For version 2025.2 and older

Configuration

Description

Notes

Customer instructions

Configure AD connector

Configure scheduled task for reading data

How to create new task for Scheduled Provisioning

Notice

Special mappings related to permissions (members of groups)

Notice

Configure event task for writing data

Configure authentication task

Option 1: Create new Authentication task from provisioning task

Workflow activities (orchestration nodes)

Activate / Deactive User

Add User to Group

Create custom object

Create user

Creating new user activity notes:

Create Group

Delete custom object

Delete Group

Delete User

Manage ProxyAddresses

Read User's data

Remove User Attribute

Remove User from Group

Reset User Password

Run provisioning task

Unlock User

Update Custom Object

Update group

Update User

Update User Distinguished Name value

Verify Group

Verify Group Membership

Verify User

Provision picture

Provision user photo to Directory

Instructions for Install certificates

Troubleshooting

Related Articles