Active Directory
Active Directory is a Microsoft product that helps IT administrators manage and secure user accounts, systems, and other resources on their corporate network. It can serve as an identity provider (IDP) and functions as a single point of access to the various resources available through your corporate network.
In practice, Active Directory is best described as a database containing all users, groups, and machines within your organization. Active Directory provides access to data, applications, IT systems, and peripheral devices, among other resources. This is a critical function, as employees require this access to perform their daily activities. Careful management of both users and authorizations in Active Directory is therefore essential.
Connecting an on-premises Active Directory environment to your cloud-based office application environment may sound like a basic capability, but it is not straightforward in practice. The IDP runs on-premises while many of the applications you want to integrate are hosted in the cloud. This requires a specialized agent that seamlessly connects your on-premises environment to your cloud applications, where security, reliability, and robustness are non-negotiable. Unlike many competing IAM solutions, HelloID enables you to connect your on-premises Active Directory implementation to your cloud applications without friction.
How HelloID Integrates with Active Directory
The Identity and Access Management (IAM) solution HelloID includes a standard integration with Active Directory. HelloID automates all management processes related to both user accounts and access rights in Active Directory, drawing on information from your HR and scheduling system. This means you no longer need to manage users and authorizations in Active Directory manually, with the assurance that you are operating efficiently, securely, and in compliance.
A few highlights of what HelloID offers:
Creating new accounts and managing existing user accounts
Every organization experiences employee turnover. When you add a new user to, or remove a user from, your HR system, HelloID automatically propagates that information to Active Directory through the integration. This ensures that all information in the IDP is fully up to date and consistent with the data in your HR system. Existing accounts do not need to be recreated; HelloID can correlate existing accounts for you. The process is already running, and HelloID takes over the controls without stopping it. In most cases, you will want to retain existing accounts.
You decide whether HelloID may clean up existing accounts or whether you prefer to start with a clean slate and have HelloID manage only newly created accounts. This is an important consideration, because the older the accounts, the more out of sync manually populated fields may become, for example due to role transitions or changes to the job structure. HelloID can clean up this information for you.
Creating, activating, deactivating, and deleting users
With HelloID, you no longer need to manage the creation, activation, and deactivation of user accounts manually. HelloID can also automatically delete accounts from Active Directory. It is important to note that HelloID only deletes the user itself and does not touch related resources. For example, a home directory may be linked to an account. Because HelloID does not own this data, the IAM solution is not legally permitted to delete it. By leaving this data untouched, you have assurance regarding compliance with applicable laws and regulations and retain full control over your data.
Assigning the correct username
An important consideration when creating a user account is choosing the correct username. Do you include the user's full first and last name in an email address? Or do you prefer a combination of initials and a last name? How do you handle potential duplicate usernames? Using naming conventions in HelloID, you standardize this process and ensure that usernames are always built in a consistent manner.
Assigning or revoking group memberships
Managing the group memberships of users within your organization is a critical aspect of user management. Group memberships enable you to easily assign the correct authorizations to users. You configure authorizations once for a group of users and then assign users to that group. With HelloID's integration with Active Directory, this process is handled automatically, ensuring that users receive the correct group memberships and that memberships are revoked in a timely manner when needed.
It is also important to note that HelloID can automatically create groups for you, for example when the HR department adds a new department to the HR system. HelloID detects the creation of a new department and assigns the correct memberships based on this information. This is also known as Dynamic Permissions. Note: the system administrator must link the newly created groups to the appropriate resources in this case.
Updating attributes
The group memberships a user requires depend in part on their role. HelloID can identify this role largely automatically using attributes retrieved from your source system. You decide which attribute from the source system determines which accounts and rights are assigned in target systems, in this case Active Directory. This approach provides significant convenience. Not only do you not have to manually identify each user's role, you also have the assurance that when an employee's role changes, HelloID automatically updates their accounts and rights where necessary. Most source systems use a structure in which an employee has one or more assignments or position distributions, meaning an employee can effectively hold multiple roles. Based on all active roles, HelloID assigns the correct permissions in Active Directory.
Preventing email address reuse
HelloID can use a blocklist to prevent email addresses from being reused. Even after a user account has been deactivated and the email address technically becomes available again over time, the blocklist ensures it can never be reissued. This is important because it guarantees that email correspondence never reaches the wrong recipient and that files associated with an email address are never unintentionally accessible to unauthorized users. The same approach can also be applied to usernames.
Managing Organizational Units
Active Directory uses containers known as Organizational Units. If your organization has multiple locations, you can build a folder structure that distinguishes between those locations and place related account folders in the correct location folder. HelloID provides a structured approach to this that adds clarity and helps prevent misunderstandings. HelloID can automatically create a folder when a user account is created, move it to the appropriate location folder when the account is activated, and move it to a folder containing disabled accounts when the account is deactivated.
Integration with Exchange
Exchange is an extension of Active Directory that manages your email traffic. The Microsoft software ensures that contacts, calendar items, and email are available on all of a user's devices, drawing on information from Active Directory. HelloID can integrate with Exchange regardless of whether your Exchange server runs on-premises or in the cloud. If you are not using Exchange but are using Exchange Online with group-based licensing in Azure, HelloID supports that as well. It is important to note that the HelloID agent eliminates the need for Exchange Management Tools. This makes the HelloID agent lightweight and reduces the permissions required, which is important from a security perspective.
Creating home and profile directories
Active Directory uses home and profile folders for data storage. HelloID provides full support for creating these folders and can manage all associated permissions seamlessly. This includes archiving these folders on the same share, for example in a folder named "Archive." It is also possible to add a timestamp to the folder name.
Support for post-actions
HelloID supports what are known as "post-actions," which are PowerShell actions that administrators can have executed automatically after HelloID has completed its work. This is useful because HR administrators often work with custom scripts they want to run as soon as HelloID finishes. Examples include appending text such as "Activated by HelloID on [date]" to the description of an AD account after HelloID activates it. Post-actions are available for every lifecycle event HelloID performs, including activating, deactivating, and deleting an account.
A key feature of the integration between HelloID and Active Directory is that the HelloID agent enables you to manage on-premises Active Directory accounts from the cloud. As an IDaaS solution, HelloID cannot directly access a customer's internal network. All actions are retrieved from HelloID via a dedicated agent and executed within the network. Communication with HelloID always originates from the agent, never from the cloud. This agent creates a seamless and, above all, secure connection between both systems.
HelloID for Active Directory Helps You With
- Immediate access to the right data and applications: Your employees need access to data and business applications to perform their work. With the integration between HelloID and Active Directory, you can be confident that new employees can start productively on their first day.
- Significant time savings: Managing user accounts and authorizations is a complex and time-consuming process, especially as your organization grows. Connecting Active Directory to HelloID automates this process to a significant degree.
- Reducing human errors: Mistakes happen, but in some cases they can have serious consequences. If you forget to revoke an offboarded user's authorizations, for example, it can create problems later, both from a security and compliance perspective. The integration between Active Directory and HelloID provides assurance in this area and minimizes the risk of human error.
- Robust audits: Procedural compliance is automatic, with all activities performed by HelloID in relation to users and authorizations logged in full. This ensures you always have a complete overview and meet all compliance requirements.
Connecting Active Directory with Source and Target Systems via HelloID
With HelloID, you can connect Active Directory to a wide variety of other systems. These integrations increase the efficiency with which you manage user accounts and access rights, ensuring a secure and compliant environment in which employees can be optimally productive. Some examples of common integrations include:
- Visma Raet to Active Directory integration: Visma Raet is a popular HR solution. The Visma Raet to Active Directory integration made possible by HelloID automatically translates all relevant information from the HR system into user accounts and access rights in Active Directory.
- AFAS to Active Directory integration: The HRM software from AFAS enables automation of all HR processes for both personnel and payroll administration. The AFAS to Active Directory integration that HelloID makes possible ensures that all relevant information from AFAS automatically reaches Active Directory.
- SAP to Active Directory integration: As part of SAP Human Capital Management (HCM), SAP offers various solutions that support HR in their daily activities. If you use SAP, you want to ensure that all relevant HR information is automatically available in Active Directory. The SAP to Active Directory integration provides that assurance.
With support for more than 200 connectors, HelloID facilitates a wide range of integrations between Active Directory and other systems. To meet the constantly evolving needs of organizations, Tools4ever continuously expands its connector and integration offerings.
