Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

The Office Microsoft 365 System Connector enables you to manage the identity and access lifecycle of users, resources and various other objects in the Office Microsoft 365 cloud . Like any other CoreOne Suite System Connector this includes functionality to create, read, update and delete users as well as the assignment of various access rights such as the assignment of groups, teams and other objects. The Office Microsoft 365 System Connector target system parameters is also applied for Exchange Online.

Identity management

There are 2 types of identity management for this system connector: Directly and indirectly managed identities:

...

  1. Identities are provisioned from an HR System into CoreOne Suite. Active Directory and Microsoft Entra ID identities are created.

  2. CoreOne Suite then provisions the identities only into the Active Directory.

  3. Microsoft Entra Connect gets the Users and prepares them to synchronize into Microsoft Entra ID.

  4. AD users are provisioned into Microsoft Entra ID.

  5. CoreOne then matches the UPN in CoreOne Suite identities with Microsoft Entra ID users and creates an Object ID link.

Prerequisite

To use the Exchange Online System Connector, This prerequisite can be skipped if you don’t want to provision mailboxes in Exchange Online.

The Microsoft 365 System Connector manages mailboxes in Exchange Online. The ExchangeOnlineManagementPowershell-Module must be installed on the server where the System Connector is installed needs the ExchangeOnlineManagementPowershell-Module.

Run the follwing following command in Windows Powershell:

...

For more information, checkout the follwing following documentation: https://learn.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps&source=recommendations#install-the-exchange-online-powershell-module.

System Identity Types

The following system identity types are supported:

Identity Type

Description

Azure AD User

An Azure Active Directory User

System Identity Attributes

Note

It is important to note that properties for synced users in Azure cannot be set directly on the user object. Instead, these properties must be configured through Group Policy Objects (GPOs) or managed via an on-premises user and synchronized using Entra ID Connect.

Attribute

Type

Example

Description

Password Policies (PasswordPolicies)

String

“DisablePasswordExpiration”

This attribute can be filled with different information (seperated with “,”), which state how the password policies are set for an identity.

“DisablePasswordExpiration” → The password of the relating identity never expires

“DisableStrongPassword” → The password set doesn’t have to fulfill any requirements

Show In Address List (ShowInAddressList)

Boolean

True

This attribute states, if a provisioned identity is shown in the global address book. If it’s set to “True”, the user is shown in this global address book.

Force-Change-Password-On-Next-Sign-In (ForceChangePasswordNextSignIn)

Boolean

True

This attribute states, if a user has to change his password as soon as she/he tries to sign in to any Office Microsoft 365 application. If it’s set to “True”, the password has to be changed whilst the first sign in.

System Resource Types

The following system resource types are supported:

Identity Type

Description

Security Group

A regular security group

Distribution Group

A regular distribution group

Office 365

An Office 365 group

Team

A team used in teams

LicenceLicense

An A Microsoft Office 365 licencelicense

Target System Parameters

Whenever you connect a Microsoft 365 system to the CoreOne Suite you will need to specify the following parameters.

Parameter

Mandatory

Example

Description

Application Identifier

(tick)

4deeecf9-c063-4763-94c6-3db66e4ae679

The unique identifier of the application generated in the O365 administration panel

Application Certificate Subject

(tick)

Microsoft Entra ID App Certificate

The self-signed certification is used to ensure client authentication with Microsoft Entra ID. This Certificate must be registered in the administration panel

Domain

(tick)

m365x289341.onmicrosoft.com

The Office 365 tenant

Tenant Identifier

(tick)

97b62607-cb86-48ba-9a28-e8e1e7c4c104

The unique tenant identifier

Tenant Name

(tick)

Contoso - Test Tenant

The Tenant name

Username (Marked for deprecation)

-

admin@m365x28e341.onmicrosoft.com

The username to connect to

Password (Marked for deprecation)

-

🔑 * * * * * * * *

The password of the user

Connection URI (Marked for deprecation)

-

https://outlook.office365.com/powershell-liveid/

The connection URI to the outlook powershell endpoint

Application Secret (Marked for deprecation)

-

🔑 * * * * * * * *

The secret to the application generated in the administration panel

Note

From version 9.0 onwardsonward, the parameters Username, Password, Connection URI, and Application Secret are marked as deprecated.

Identity

...

features

The following identity functions are supported:

Function (task feature)System Connector task features

Supported

createCreate / delete identities

(tick)

provisioning Provisioning identities 

(tick)

update Update identities          

(tick)

provisioning Provisioning identity updates   

(tick)

deprovision Deprovision identities  

(tick)

cleanup Cleanup of inactive identities activeactive     

(tick)

check Check password changed active

(tick)

Resources

...

features

The following resource functions are supported:

Function (task feature)System Connector task features

Supported

createCreate/delete resources

(tick)

provision Provision resources     

(tick)

update Update resources         

(tick)

provisioning Provisioning resource changes 

(tick)

deprovisioning Deprovisioning resources         

(tick)

provisioning Provisioning resource allocations         

(tick)

deprovisioning Deprovisioning resource allocations     

(tick)

provisioning Provisioning resources-resource allocations     

(tick)

Deprovisioning resource resource allocations   

(tick)

Cleanup

...

features

The following cleanup functions are supported:

Function (task feature)System Connector task features

Supported

Is available in the expected/actual comparison log          

(tick)

Clean up expected/actual

(tick)In the should-actual Log available    

Should be - Actually is - cleanup

Read back user account properties

(tick)

Resource identity assignments Target system cleanup  (tick)member target system clean up

Resource - resource assignments Target system cleanup (tick) member target system clean up