One Identity Active Roles
One Identity Active Roles: Active Directory and Azure AD management from one console. Permission delegation, automation, Zero Trust for AD. Alternative to native Microsoft tools.
Key Features
- Unified console - AD and Azure AD in one place
- Delegation - granular delegation without Domain Admin
- Automation - automated account and group creation
- Zero Trust - least privilege for AD administrators
- Audit - full audit trail of AD changes
Table of Contents
What is One Identity Active Roles?
One Identity Active Roles is a platform for managing Active Directory and Azure AD - one place to administer users, groups, computers. Replaces native Microsoft tools (ADUC, Azure Portal) with better delegation and automation.
Main functions:
- Unified Console - AD on-prem and Azure AD in one interface
- Delegation - delegate permissions without giving Domain Admin
- Automation - automatic provisioning and lifecycle management
- Audit - who, what, when changed in AD
What problem does it solve?
flowchart LR
subgraph Native AD
A[Helpdesk needs] --> B[Domain Admin?]
B --> C[Risk]
C --> D[No control]
end
subgraph With Active Roles
E[Helpdesk] --> F[Delegated permissions]
F --> G[Only password reset]
G --> H[Full audit]
end
style A fill:#dc2626,stroke:#b91c1c,color:#fff
style B fill:#dc2626,stroke:#b91c1c,color:#fff
style C fill:#dc2626,stroke:#b91c1c,color:#fff
style D fill:#dc2626,stroke:#b91c1c,color:#fff
style E fill:#22c55e,stroke:#16a34a,color:#fff
style F fill:#22c55e,stroke:#16a34a,color:#fff
style G fill:#22c55e,stroke:#16a34a,color:#fff
style H fill:#22c55e,stroke:#16a34a,color:#fffTypical problems:
- Helpdesk has Domain Admin because “otherwise can’t reset passwords”
- Multi-forest / multi-tenant - logging into multiple consoles
- No automation - manual account, group creation
- Native AD delegation is complicated and easy to break
- No audit of who changed what in AD
How does Active Roles work?
flowchart TD
A[Administrator/Helpdesk] --> B[Active Roles Console]
B --> C[Active Roles Service]
C --> D{Check permissions}
D -->|OK| E[Execute in AD]
D -->|No| F[Deny]
E --> G[Active Directory]
E --> H[Azure AD]
C --> I[Audit Log]
style A fill:#6366f1,stroke:#4f46e5,color:#fff
style B fill:#8b5cf6,stroke:#7c3aed,color:#fff
style C fill:#f59e0b,stroke:#d97706,color:#fff
style D fill:#f59e0b,stroke:#d97706,color:#fff
style E fill:#22c55e,stroke:#16a34a,color:#fff
style F fill:#dc2626,stroke:#b91c1c,color:#fff
style G fill:#22c55e,stroke:#16a34a,color:#fff
style H fill:#22c55e,stroke:#16a34a,color:#fff
style I fill:#8b5cf6,stroke:#7c3aed,color:#fffKey difference: Users don’t connect directly to AD. Active Roles mediates and controls what they can do.
Main features
Unified Management
One console
- Multi-forest AD
- Multi-tenant Azure AD
- Exchange Online
- Microsoft 365
Delegation
Zero Trust for AD
- Role-based delegation
- Granular permissions
- Without Domain Admin
- Temporal access
Automation
AD automation
- Provisioning from templates
- Automatic groups
- Lifecycle management
- Scheduled tasks
Self-Service
User portal
- Password reset
- Group membership request
- Profile update
- Manager approval
Policy Enforcement
Enforcing standards
- Naming conventions
- Attribute validation
- Mandatory fields
- Business rules
Audit & Reporting
Compliance
- Full audit trail
- Change history
- Compliance reports
- SIEM integration
Delegation Model
Active Roles uses “virtual permissions” - doesn’t modify AD permissions:
flowchart LR
A[Access Template] --> B[Managed Unit]
B --> C[Trustee]
A --> D["Reset Password"]
A --> E["Create User"]
A --> F["Modify Groups"]
B --> G["OU=Sales"]
B --> H["OU=IT"]
C --> I["Helpdesk Group"]
C --> J["HR Admins"]
style A fill:#6366f1,stroke:#4f46e5,color:#fff
style B fill:#22c55e,stroke:#16a34a,color:#fff
style C fill:#f59e0b,stroke:#d97706,color:#fffExample: “Helpdesk can reset passwords only in OU=Sales” - without any changes to native Active Directory ACLs.
Hybrid AD Management
Managing hybrid environment:
| Object | AD on-prem | Azure AD | Active Roles |
|---|---|---|---|
| Users | ADUC | Azure Portal | Unified |
| Groups | ADUC | Azure Portal | Unified |
| Computers | ADUC | Intune | Unified |
| Exchange | EMC | Exchange Admin | Unified |
One interface for all operations - creating user in AD automatically provisions to Azure AD.
For whom?
Active Roles MAKES sense when:
- • Have 1000+ users in AD
- • Multi-forest or multi-tenant
- • Helpdesk has too many permissions
- • Need lifecycle automation
- • Audit requirements (who changed what)
Active Roles DOESN'T make sense when:
- • Small company (<200 users) - ADUC sufficient
- • Cloud-only (Azure AD) - Entra ID Governance
- • One admin who does everything
Active Roles vs native tools
| Aspect | ADUC / Azure Portal | Active Roles |
|---|---|---|
| Multi-forest | Separate console per forest | Unified |
| Multi-tenant | Separate portal per tenant | Unified |
| Delegation | Complicated, ACL-based | Role-based, virtual |
| Automation | PowerShell scripting | Built-in workflows |
| Audit | Event logs, distributed | Central audit log |
| Self-service | No native | Portal for users |
Specifications
| Parameter | Value |
|---|---|
| Deployment | On-premises (Windows Server) |
| Supported | AD 2016-2025, Azure AD, M365 |
| Console | MMC snap-in, Web interface |
| API | PowerShell, REST |
| HA | Clustering |
| Integration | SIEM, ServiceNow, Identity Manager |
FAQ
Does this replace ADUC? Yes for daily administration. ADUC still works, but Active Roles gives better control and audit.
Does it modify AD permissions? No. Active Roles uses “virtual permissions” - controls access without changing AD ACLs.
How does it integrate with Azure AD? Through connector. Operations performed in Active Roles are replicated to Azure AD.
Does helpdesk need to learn new console? Console is simple. Helpdesk sees only what they have permissions for - less complicated than ADUC.
How does it work with Identity Manager? Active Roles can be “execution layer” for Identity Manager. IM defines policies, AR executes in AD.
How long does deployment take? Basic: 2-4 weeks. With full automation and integrations: 1-2 months.
Does nFlo deploy Active Roles? Yes. Deployment, delegation configuration, lifecycle automation, Azure AD integration.
Inquire about One Identity Active Roles
Contact your product specialist and get a custom quote.
Related Services
Our services supporting the implementation and management of this solution
Active Directory Security Audit
Cybersecurity
We find paths to Domain Admin before attackers do.
Threat Intelligence
Cybersecurity
Know your enemy before they strike. Proactive defense powered by data.
Cloud Security Audit and Protection
Cybersecurity
Check AWS/Azure/GCP security before attackers find misconfigurations. CSPM + manual review.
CIS Security Audit
Cybersecurity
Harden system configurations with CIS Benchmarks. Block 85% of common attacks.
From Our Knowledge Base
Articles related to this solution
CVE-2010-0249: 2010 Vulnerability Now Actively Exploited (Microsoft)
Security Alert - CVE-2010-0249 (Microsoft Internet Explorer). CVSS: 8.8 (high). EPSS: 90%. 2010 vulnerability now actively exploited.
CVE-2022-0492: 2022 Vulnerability Now Actively Exploited (Linux)
Security Alert - CVE-2022-0492 (Linux Kernel). CVSS: 7.8 (high). EPSS: 5%. 2022 vulnerability now actively exploited.
CVE-2024-21182: 2024 Vulnerability Now Actively Exploited (Oracle)
Security Alert - CVE-2024-21182 (Oracle WebLogic Server). CVSS: 7.5 (high). EPSS: 88%. 2024 vulnerability now actively exploited.
Related Products
Other solutions you might be interested in
Aruba ClearPass
Aruba Networks
Aruba ClearPass: NAC platform with profiling of 70+ thousand device types. Zero Trust access control for users, BYOD, and IoT.
Barracuda CloudGen Firewall
Barracuda Networks
Barracuda CloudGen Firewall: next-gen firewall with SD-WAN. IPS, application control, VPN, threat protection. Appliance, virtual, cloud.
Barracuda Email Protection
Barracuda Networks
Barracuda Email Protection: AI-powered email security against phishing, ransomware, BEC and account takeover. Gateway + API for Microsoft 365 and Google.
Barracuda SecureEdge
Barracuda Networks
Barracuda SecureEdge: SASE platform combining SD-WAN with cloud security. Zero Trust, SWG, CASB, FWaaS. Protection for distributed workforce.
Want to Reduce IT Risk and Costs?
Book a free consultation - we respond within 24h
Or download free guide:
Download NIS2 Checklist