Connecting to Office 365

EmpowerID includes an Office 365 connector that allows you to add a Microsoft Office 365 domain to EmpowerID as a managed account store. The EmpowerID Office 365 connector uses PowerShell to perform administrative tasks in the connected domain, such as creating and deleting users, mailboxes and groups.

As prerequisites to managing Office 365 in EmpowerID, you must have an Office 365 account with Microsoft, and have the the below specified versions of the following modules installed on each EmpowerID server you wish to use to manage the domain.

EmpowerID servers that will be connecting to Office 365 that currently have Windows Azure AD Module for Windows PowerShell and MSOL Sign-in assistant installed, will need to have those modules uninstalled before installing the newer versions.

  • Windows Management Framework 5.0 - This framework provides updated management functionality that EmpowerID uses to communicate to Office 365, to include the newest version of Windows PowerShell. You can download the Windows Management Framework 5.0 from Microsoft at: https://www.microsoft.com/en-us/download/details.aspx?id=50395. You must install the framework before installing Windows Azure AD Module for Windows PowerShell Version 1.1. Once you have installed the framework, you can verify the version by running $PSVersionTable.PSVersion in Powershell. The version returned should be Major 5 Minor 0 or higher.
  • Windows Azure AD Module for Windows PowerShell Version 1.1 - This provides you with the Office 365 cmdlets necessary for administering Office 365.
  • After installing Windows Azure AD Module for Windows PowerShell Version 1.1, run Save-Module -Name MSOnline -Path %path% in PowerShell, replacing %path% with the desired path. If you see messages stating that "PowerShellGet requires NuGet provider version'2.8.5.201' or newer" and "You are installing the modules from an untrusted repository", enter Y for both. Once completed, run Import-Module MSOnline in PowerShell. After importing the module, you can confirm you have the appropriate version by running Get-Module MSOnline . You should see version 1.1.166.0 returned.

In addition to the above requirements, the Proxy Connection Account that EmpowerID uses to manage Office 365 must have the Global Administrator role in Office 365.

To connect to Office 365

  1. Log in to the EmpowerID Management Console as an administrator.
  2. From the EmpowerID Management Console, click the EmpowerID icon and select Configuration Manager from the application menu.
  3. In Configuration Manager, expand the User Directories node in the application navigation tree and then click the Account Stores node.
  4. Click the Add New button located above the Account Stores grid.
  5. In the Add New Security Boundary window that opens, select Office365 from the Security Boundary Type drop-down list and then click OK.

  6. In the Security Boundary Details window that appears, type a name for the Office 365 account store in the Name and Display Name fields, the fully qualified domain name your Office 365 account was given by Microsoft when first created—such as empid.onmicrosoft.com —in the FQN field, and then click Save .

    This adds the Office 365 account store to the Account Stores grid.

  7. From the Account Stores grid, double-click the Office 365 account store you just created.

    This opens the Account Store Details screen for the Office 365 account store. This screen contains settings for configuring how EmpowerID manages the Office 365 account store.

  8. From the General pane of the Office 365 Account Store Details screen, click the Edit button to the right of the Powershell Administrative Accounts setting and in the Edit Proxy Accounts window that appears click the Add New button.

  9. In the Proxy Connection Account window that appears type the username and password for the administrative account that is to be used manage Office 365 and then click OK. This account must have the Global Administrator role in Office 365.

  10. Click OK to close the Edit Proxy Accounts window.
  11. Back in the Account Store Details screen for the Office 365 account store, tick the red sphere to a green check box for each of the following settings that you want to enable:
    • Allow Person Provisioning - If enabled, EmpowerID provisions a Person object for each user discovered in the account store.
    • Allow RET Provisioning - If enabled, EmpowerID applies any Resource Entitlements policies to each person provisioned from an inventoried AWS account if those people are placed in a Business Role and Location that is targeted by a Resource Entitlement Policy.
    • Allow RET De-Provisioning: If enabled, EmpowerID removes any Resource Entitlements received by the Office 365 users if those users no longer meet the criteria for those resources.

  12. From the Account Store Details screen for the Office 365 account store, navigate to the Inventory pane and click the Edit button to the right of Business Role for New Inventory Provision and select an appropriate Business Role for each new Person provisioned during the inventory of your Office 365 from the Business Role Selector that appears. 
  13. Click OK to close the Business Role Selector.
  14. From the Inventory pane of the Account Store Details screen for the Office 365 account store, click the Edit button to the right of Location For New Inventory Provision and select an appropriate Location for each Person provisioned during the inventory of your Office 365 from the Location Selector that appears.
  15. Click OK to close the Location Selector.  
  16. From the Inventory pane of the Account Store Details screen for the Office 365 account store, click the red sphere to the left of Enable Inventory so that the red sphere becomes a green check box. This allows EmpowerID to inventory your Office 365 and create the appropriate user accounts and Person objects in EmpowerID.

  17. Return to the main Configuration Manager screen and turn on the turn on the Office365 batch processing job by clicking on the EmpowerID Servers and Roles node and ticking the Office365 Batch Processor box underneath at least one EmpowerID server.