Microsoft 365 System Connector (Other keywords: Exchange Online, Office 365)
- Silvan Grüter
- urs.mathis
- Franz Achermann
Introduction
The Microsoft 365 System Connector enables you to manage the identity and access lifecycle of users, resources and various other objects in the Microsoft 365 cloud . Like any other CoreOne Suite System Connector this includes functionality to create, read, update and delete users as well as the assignment of various access rights such as the assignment of groups, teams and other objects. The Microsoft 365 System Connector target system parameters is also applied for Exchange Online.
Identity management
There are 2 types of identity management for this system connector: Directly and indirectly managed identities:
Directly managed: An Identity that is created from a CoreIdentity and then provisioned to Microsoft Entra ID.
Indirectly managed: An Identity that is created from a CoreIdentity and linked to an existing Microsoft Entra ID user. This Microsoft Entra ID user is synchronized from Active Directory.
If Active Directory (AD) is in use and AD users are synchronized via Microsoft Entra Connect to Microsoft Entra ID, the indirectly managed method might be a viable option. CoreOne Suite creates a reference to Microsoft Entra ID users by linking them via the Object ID.
Identities are provisioned from an HR System into CoreOne Suite. Active Directory and Microsoft Entra ID identities are created.
CoreOne Suite then provisions the identities only into the Active Directory.
Microsoft Entra Connect gets the Users and prepares them to synchronize into Microsoft Entra ID.
AD users are provisioned into Microsoft Entra ID.
CoreOne then matches the UPN in CoreOne Suite identities with Microsoft Entra ID users and creates an Object ID link.
Prerequisite
This prerequisite can be skipped if you don’t want to provision mailboxes in Exchange Online.
The Microsoft 365 System Connector manages mailboxes in Exchange Online. The ExchangeOnlineManagementPowershell-Module must be installed on the server where the System Connector is installed.
Run the following command in Windows Powershell:
Install-Module ExchangeOnlineManagementFor more information, checkout the following documentation: https://learn.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps&source=recommendations#install-the-exchange-online-powershell-module.
System Identity Types
The following system identity types are supported:
Identity Type | Description |
|---|---|
Azure AD User | An Azure Active Directory User |
System Identity Attributes
It is important to note that properties for synced users in Azure cannot be set directly on the user object. Instead, these properties must be configured through Group Policy Objects (GPOs) or managed via an on-premises user and synchronized using Entra ID Connect.
Attribute | Type | Example | Description |
|---|---|---|---|
Password Policies (PasswordPolicies) | String | “DisablePasswordExpiration” | This attribute can be filled with different information (seperated with “,”), which state how the password policies are set for an identity. “DisablePasswordExpiration” → The password of the relating identity never expires “DisableStrongPassword” → The password set doesn’t have to fulfill any requirements |
Show In Address List (ShowInAddressList) | Boolean | True | This attribute states, if a provisioned identity is shown in the global address book. If it’s set to “True”, the user is shown in this global address book. |
Force-Change-Password-On-Next-Sign-In (ForceChangePasswordNextSignIn) | Boolean | True | This attribute states, if a user has to change his password as soon as she/he tries to sign in to any Microsoft 365 application. If it’s set to “True”, the password has to be changed whilst the first sign in. |
System Resource Types
The following system resource types are supported:
Identity Type | Description |
|---|---|
Security Group | A regular security group |
Distribution Group | A regular distribution group |
Office 365 | An Office 365 group |
Team | A team used in teams |
License | A Microsoft Office 365 license |
Target System Parameters
Whenever you connect a Microsoft 365 system to the CoreOne Suite you will need to specify the following parameters.
Parameter | Mandatory | Example | Description |
|---|---|---|---|
Application Identifier | 4deeecf9-c063-4763-94c6-3db66e4ae679 | The unique identifier of the application generated in the O365 administration panel | |
Application Certificate Subject | Microsoft Entra ID App Certificate | The self-signed certification is used to ensure client authentication with Microsoft Entra ID. This Certificate must be registered in the administration panel | |
Domain | The Office 365 tenant | ||
Tenant Identifier | 97b62607-cb86-48ba-9a28-e8e1e7c4c104 | The unique tenant identifier | |
Tenant Name | Contoso - Test Tenant | The Tenant name | |
Username (Marked for deprecation) | - | The username to connect to | |
Password (Marked for deprecation) | - | * * * * * * * * | The password of the user |
Connection URI (Marked for deprecation) | - | The connection URI to the outlook powershell endpoint | |
Application Secret (Marked for deprecation) | - | * * * * * * * * | The secret to the application generated in the administration panel |
From version 9.0 onward, the parameters Username, Password, Connection URI, and Application Secret are marked as deprecated.
Identity features
The following identity functions are supported:
Supported | |
Create / delete identities | |
Provisioning identities | |
Update identities | |
Provisioning identity updates | |
Deprovision identities | |
Cleanup of inactive identities active | |
Check password changed active |
Resources features
The following resource functions are supported:
Supported | |
Create/delete resources | |
Provision resources | |
Update resources | |
Provisioning resource changes | |
Deprovisioning resources | |
Provisioning resource allocations | |
Deprovisioning resource allocations | |
Provisioning resources-resource allocations | |
Deprovisioning resource resource allocations |
Cleanup features
The following cleanup functions are supported:
Supported | |
In the should-actual Log available | |
Should be - Actually is - cleanup | |
Read back account properties | |
Resource identity member target system clean up | |
Resource resource member target system clean up |
© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.