Connecting to Office 365
EmpowerID includes an Office 365 connector that allows you to add a Microsoft Office 365 domain to EmpowerID as a managed account store. The EmpowerID Office 365 connector uses PowerShell to perform administrative tasks in the connected domain, such as creating and deleting users, mailboxes and groups.
As prerequisites to managing Office 365 in EmpowerID, you must have an Office 365 account with Microsoft, and have the the below specified versions of the following modules installed on each EmpowerID server you wish to use to manage the domain.
EmpowerID servers that will be connecting to Office 365 that currently have Windows Azure AD Module for Windows PowerShell and MSOL Sign-in assistant installed, will need to have those modules uninstalled before installing the newer versions.
- Windows Management Framework 5.0 - This framework provides updated management functionality that EmpowerID uses to communicate to Office 365, to include the newest version of Windows PowerShell. You can download the Windows Management Framework 5.0 from Microsoft at:
https://www.microsoft.com/en-us/download/details.aspx?id=50395. You must install the framework before installing Windows Azure AD Module for Windows PowerShell Version 1.1. Once you have installed the framework, you can verify the version by running $PSVersionTable.PSVersion in Powershell. The version returned should be Major 5 Minor 0 or higher.
- Windows Azure AD Module for Windows PowerShell Version 1.1 - This provides you with the Office 365 cmdlets necessary for administering Office 365.
After installing Windows Azure AD Module for Windows PowerShell Version 1.1, run
Save-Module -Name MSOnline -Path %path% in PowerShell, replacing
%path% with the desired path. If you see messages stating that "PowerShellGet requires NuGet provider version'220.127.116.11' or newer" and "You are installing the modules from an untrusted repository", enter Y for both. Once completed, run Import-Module MSOnline in PowerShell. After importing the module, you can confirm you have the appropriate version by running
Get-Module MSOnline . You should see version 18.104.22.168 returned.
In addition to the above requirements, the Proxy Connection Account that EmpowerID uses to manage Office 365 must have the Global Administrator role in Office 365.
To connect to Office 365
- Log in to the EmpowerID Management Console as an administrator.
From the EmpowerID Management Console, click the EmpowerID icon and select Configuration Manager from the application menu.
In Configuration Manager, expand the User Directories node in the application navigation tree and then click the Account Stores node.
Click the Add New button located above the Account Stores grid.
Add New Security Boundary window that opens, select
Office365 from the
Security Boundary Type drop-down list and then click OK.
Security Boundary Details window that appears, type a name for the Office 365 account store in the
Display Name fields, the fully qualified domain name your Office 365 account was given by Microsoft when first created—such as empid.onmicrosoft.com —in the
FQN field, and then click
This adds the Office 365 account store to the Account Stores grid.
From the Account Stores grid, double-click the Office 365 account store you just created.
This opens the Account Store Details screen for the Office 365 account store. This screen contains settings for configuring how EmpowerID manages the Office 365 account store.
General pane of the Office 365 Account Store Details screen, click the
Edit button to the right of the
Powershell Administrative Accounts setting and in the Edit Proxy Accounts window that appears click the
Add New button.
Proxy Connection Account window that appears type the username and password for the administrative account that is to be used manage Office 365 and then click
OK. This account must have the
Global Administrator role in Office 365.
OK to close the Edit Proxy Accounts window.
Back in the Account Store Details screen for the Office 365 account store, tick the red sphere to a green check box for each of the following settings that you want to enable:
Allow Person Provisioning - If enabled, EmpowerID provisions a Person object for each user discovered in the account store.
- Allow RET Provisioning - If enabled, EmpowerID applies any Resource Entitlements policies to each person provisioned from an inventoried AWS account if those people are placed in a Business Role and Location that is targeted by a Resource Entitlement Policy.
- Allow RET De-Provisioning: If enabled, EmpowerID removes any Resource Entitlements received by the Office 365 users if those users no longer meet the criteria for those resources.
From the Account Store Details screen for the Office 365 account store, navigate to the
Inventory pane and click the
Edit button to the right of
Business Role for New Inventory Provision and select an appropriate Business Role for each new Person provisioned during the inventory of your Office 365 from the Business Role Selector that appears.
OK to close the Business Role Selector.
From the Inventory pane of the Account Store Details screen for the Office 365 account store, click the Edit button to the right of
Location For New Inventory Provision and select an appropriate Location for each Person provisioned during the inventory of your Office 365 from the Location Selector that appears.
OK to close the Location Selector.
From the Inventory pane of the Account Store Details screen for the Office 365 account store, click the red sphere to the left of
Enable Inventory so that the red sphere becomes a green check box. This allows EmpowerID to inventory your Office 365 and create the appropriate user accounts and Person objects in EmpowerID.
Return to the main Configuration Manager screen and turn on the turn on the Office365 batch processing job by clicking on the
EmpowerID Servers and Roles node and ticking the
Office365 Batch Processor box underneath at least one EmpowerID server.