Active Directory
Configuring the Active Directory integration for Veza Lifecycle Management
Overview
The Veza integration for Active Directory enables automated user lifecycle management, including user provisioning and deprovisioning, group membership management, and attribute synchronization.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
โ
MANAGE_RELATIONSHIPS
Controls entitlements such as group memberships and role assignments for identities
โ
DEPROVISION_IDENTITY
Safely disables access for identities while preserving attributes for audit
โ
CREATE_ENTITLEMENT
Creates entitlements such as Active Directory groups
โ
RESET_PASSWORD
Allows password reset operations for Active Directory users
โ
DELETE_IDENTITY
Permanently deletes the user identity from Active Directory
โ
SOURCE_OF_IDENTITY
Active Directory can act as a source system for identity lifecycle policies
โ
This document includes steps to enable the Active Directory integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.
Enabling Lifecycle Management for Active Directory
Prerequisites
You will need administrative access in Veza to configure the integration.
Ensure you have an existing Active Directory integration in Veza or add a new one for use with Lifecycle Management.
Verify your Active Directory integration has completed at least one successful extraction.
Configuration Steps
To enable the integration:
In Veza, go to the Integrations overview
Search for or create an Active Directory integration
Check the box to Enable usage for Lifecycle Management
Configure the extraction schedule to ensure your Active Directory data remains current:
Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Active Directory in the Active Overrides section
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
1. Create a Service Account
Create a dedicated AD user with the minimum required permissions:
Using Active Directory Users and Computers:
Open Active Directory Users and Computers
Navigate to the target Organizational Unit
Right-click > New > User
Complete the new user details form
Recommended name: "Veza AD Lifecycle Manager"
Set a strong password
Uncheck "User must change password at next logon"
Using PowerShell:
2. Configure Required Permissions
Grant the service account permissions to manage users in the target OUs:
Using Active Directory Users and Computers:
Navigate to the target Organizational Unit
Right-click > Delegate Control
Click Add and enter the service account name
Select these delegated tasks:
Create, delete, and manage user accounts
Reset user passwords and force password change
Read all user information
Modify group membership
Using PowerShell:
3. Configure the Integration in Veza
Navigate to Configurations > Integrations
Either:
Create a new Active Directory integration
Edit an existing Active Directory integration
Enable Lifecycle Management:
Check Enable Lifecycle Management
Enter the Lifecycle Management Username (service account created above)
Enter the Lifecycle Management Password
Save the configuration
Supported Actions
Active Directory can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Active Directory, with changes propagated to connected systems.
Active Directory can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.
The integration supports the following lifecycle management Actions:
Sync Identities
Synchronizes identity attributes between systems, with options to:
Create new identities if they don't exist
Update attributes of existing identities
Enable continuous sync to keep attributes aligned with the source of truth
Unique Identifiers
Active Directory uses composite unique identifiers to locate users. Only one unique identifier can be specified per action:
account_name (sAMAccountName) - Default unique identifier
distinguished_name - Full LDAP path (e.g.,
CN=John Doe,OU=Users,DC=company,DC=com)user_principal_name - Login format (e.g.,
[email protected])
The following attributes can be synchronized:
Manage Relationships
Controls relationships between users and Active Directory groups:
Entity Types: Active Directory Groups
Assignee Types: Active Directory Users
Supports Removing Relationships: Yes
Both adding and removing group memberships are supported. Group memberships can be managed individually or removed in bulk during deprovisioning.
Deprovision Identity
When a user is deprovisioned in Active Directory:
Entity Type: Active Directory User
Method: Account Disabled (sets
userAccountControlto 514)Remove All Relationships: Yes (optional - group memberships can be removed)
The following unique identifiers can be used to locate the user:
Create Entitlement
Creates new Active Directory groups:
Entity Type: Active Directory Group
Required Attributes: name
Optional Attributes: description, group_type, is_security_group, member_of, account_name, organizational_unit_dn
Reset Password
Resets a user's password in Active Directory:
Entity Type: Active Directory User
Idempotent: No (generates a new password with each execution)
Password Options:
Configurable password complexity (length, character types, excluded characters)
Option to require password change on next login
Passwords must comply with Active Directory domain password policy
The Reset Password action is non-idempotent. Each execution generates a new password, even if the action is run multiple times.
Password Complexity Options:
Length: Configurable minimum password length
Character Types: Uppercase, lowercase, numbers, special characters
Disallowed Characters: Specify characters to exclude from generated passwords
Require Change: Force user to change password on next login
The following unique identifiers can be used to locate the user:
Delete Identity
Permanently removes a user from Active Directory:
Entity Type: Active Directory User
Method: Permanent deletion (DROP USER equivalent)
Warning: This action cannot be undone
Delete Identity permanently removes the user account from Active Directory. Use Deprovision Identity instead if you need to preserve the account for audit or potential reactivation.
The following unique identifiers can be used to locate the user:
Example Workflows
Employee Onboarding
Automate user creation and group assignment when a new employee joins:
Create a Lifecycle Management policy with your HR system as the source of identity
Configure a workflow triggered when a new identity is detected
Add a Sync Identities action to create the AD user:
Map HR attributes to AD attributes (name, email, department, title, manager)
Set initial password with "require change on next login"
Add a Manage Relationships action to assign initial group memberships based on role/department
Role Change
Update access when an employee changes roles:
Create a policy with your HR system as the source of identity
Configure a workflow triggered when attributes change (department, title, or manager)
Add a Sync Identities action to update user attributes
Add a Manage Relationships action to:
Remove old role-based group memberships
Add new role-based group memberships
Employee Offboarding
Disable access when an employee leaves:
Create a policy with your HR system as the source of identity
Configure a workflow triggered when termination date is set or employee status changes
Add a Deprovision Identity action:
Account will be disabled (not deleted)
Group memberships will be removed
Attributes preserved for audit
Optionally schedule a Delete Identity action after retention period (e.g., 90 days)
Last updated
Was this helpful?