How-to manage Microsoft Entra ID identities indirectly

Introduction

This document will give you an overview of indirectly managing identities in Microsoft Entra ID. More information about direct and indirect managed identities can be found here Microsoft 365 System Connector (Other keywords: Exchange Online, Office 365)

It’s assumes that the Office 365 target network already exists inthe CoreOne Suite.

Step 1 - Prerequisite

It is important to synchronize local Active Directory users with Microsoft Entra ID connect to manage external Microsoft Entra ID identities. For more information, check out the following page: Microsoft Entra Connect and Microsoft Entra Connect Health installation roadmap. - Microsoft Entra ID | Microsoft Learn.

Step 2 - Provisioning configuration

Configure an appropriate provisioning configuration for your EntraID Users. As the user will be synced with Microsoft Entra Connect, you only need to map the mandatory fields.

CoreOne Suite compares the User-Principal-Name with Microsoft Entra ID. It is important to set the UPN property to not unique in the provisioning configuration. This is necessary because CoreOne Suite checks if the UPN already exists. If the UPN exists, the CreateIdentityTask will not create the identity in CoreOne Suite.

The UPN must be the same in CoreOne Suite as in Microsoft Entra ID; otherwise, a link will not exist.

Step 3 - Identity Features to activate/deactivate

Create and configure your identity type based off the provisioning configuration created in step 2.

The following identity features must be deactivated and activated to manage external Microsoft Entra ID identities successfully:

Activate:

  • Identities provisioned externally

  • Identities deprovisioned externally

Deactivate:

  • Provision identities

  • Provision identity updates

Step 4 - System Features to activate/deactivate

The following system features must be deactivated and activated to manage external Microsoft Entra ID identities successfully:

Activate:

  • Check if identity is provisioned

  • Check if identity is deprovisioned

Deactivate:

  • Identity provision

  • Provision identity updates

© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.