EmpowerID includes an Office 365 connector that allows you to add a Microsoft Office 365 domain to the EmpowerID Identity Warehouse as a managed account store. The EmpowerID Office 365 connector uses PowerShell to perform administrative tasks in the connected domain, such as creating and deleting users, mailboxes and groups.
As prerequisites to managing Office 365 in EmpowerID, you must have an Office 365 account with Microsoft, and have the the below specified versions of the following modules installed on each EmpowerID server you wish to use to manage the domain.
EmpowerID servers that will be connecting to Office 365 that currently have Windows Azure AD Module for Windows PowerShell and MSOL Sign-in assistant installed, will need to have those modules removed before installing the newer versions.
Windows Management Framework 5.0 - This framework provides updated management functionality that EmpowerID uses to communicate to Office 365, to include the newest version of Windows PowerShell. You can download the Windows Management Framework 5.0 from Microsoft at:
https://www.microsoft.com/en-us/download/details.aspx?id=50395. You must install the framework before installing Windows Azure AD Module for Windows PowerShell Version 1.1. Once you have installed the framework, you can verify the version by running $PSVersionTable.PSVersion in Powershell. The version returned should be Major 5 Minor 0 or higher.
Windows Azure AD Module for Windows PowerShell Version 1.1 - This provides you with the Office 365 cmdlets necessary for administering Office 365.
After installing Windows Azure AD Module for Windows PowerShell Version 1.1, run Save-Module -Name MSOnline -Path %path% in PowerShell, replacing %path% with the desired path. If you see messages stating that "PowerShellGet requires NuGet provider version'188.8.131.52' or newer" and "You are installing the modules from an untrusted repository", enter Y for both. Once completed, run Import-Module MSOnline in PowerShell. After importing the module, you can confirm you have the appropriate version by running Get-Module MSOnline. You should see version 184.108.40.206 returned.
In addition to the above requirements, the Proxy Connection Account that EmpowerID uses to manage Office 365 must have the Global Administrator role in Office 365.
To connect to Office 365
Log in to the EmpowerID Management Console as an administrator.
From the EmpowerID Management Console, click the application icon and select Configuration Manager from the application menu.
In Configuration Manager, expand the User Directories node in the application navigation tree and then click the Account Stores node.
Click the Add New button located above the Account Stores grid.
In the Add New Security Boundary window that opens, select Office365 from the Security Boundary Type drop-down list and then click OK.
In the Security Boundary Details window that appears, enter a name for the Office 365 account store in the Name and Display Name fields respectively, the fully qualified domain name your Office 365 account was given by Microsoft when first created—such as empid.onmicrosoft.com —in the FQN field, and then click Save.
This adds the Office 365 account store to the Account Stores grid.
From the Account Stores grid, double-click the Office 365 account store you just created.
This opens the Account Store Details screen for the Office 365 account store. This screen contains settings for configuring how EmpowerID manages the Office 365 account store.
From the General pane of the Office 365 Account Store Details screen, do the following:
If you have more than one Password Manager Policy configured in your environment and you want to apply a specific policy to each Person object, click the Edit button to the right of Password Manager Policy and select the appropriate policy from the Choose a Policy lookup.
If you have more than one Password Manager Policy and you do not select a specific policy, EmpowerID applies the Default Password Manager Policy.
Click the Edit button to the right of the Powershell Administrative Accounts setting and in the Edit Proxy Accounts window that appears click the Add New button.
In the Proxy Connection Account window that appears type the username and password for the administrative account that is to be used manage Office 365 and then click OK.
If the Proxy account is not a global administrator, you must add a Service Principal Credential account with that role.
Click OK to close the Edit Proxy Accounts window.
If the Proxy account added above does not have the global administrator role in Office 365, click the Edit button to the right of the Service Principal Credential setting, enter the appropriate credentials in the Proxy Connection Account window and then click OK to close the window.
Back in the General Pane, toggle the red sphere to a green check box for each of the following settings that you want to enable:
Allow Person Provisioning - If enabled, EmpowerID provisions a Person object for each new Office 365 user discovered during inventory.
Allow RET Provisioning - If enabled, EmpowerID applies any Resource Entitlements policies to each Person provisioned from an Office 365 account if those people are placed in a Business Role and Location that is targeted by one or more Resource Entitlement Policies.
Allow RET De-Provisioning - If enabled, EmpowerID removes any Resource Entitlements received by the Office 365 users if those users no longer meet the criteria for those resources.
Enable Attribute Flow - If enabled, changes occurring to user attributes in Office 365 will occur to related identity objects in EmpowerID and vice-versa depending on how you set up your attribute flow rules. The default flow for must user attributes is bi-directional, meaning attribute changes in one system flow to the other system. You can change these as needed.
From the Account Store Details screen, navigate to the Inventory pane.
If you are provisioning EmpowerID Persons during inventory, toggle the red sphere to the left of Allow Automatic Person Provision On Inventor to a green check box.
If you are provisioning EmpowerID Persons during inventory and you want to place them in a specific Business Role, click the Edit button to the right of Business Role for New Inventory Provision and then select an appropriate Business Role for each new Person provisioned from the Business Role Selector.
If you are provisioning EmpowerID Persons during inventory and do not select a specific Business Role, EmpowerID places each new Person in the Temporary Business Role.
In the below image, we have selected Standard Employee as the Business Role for each new Person.
Click OK to close the Business Role Selector.
If you are provisioning EmpowerID Persons during inventory and you want to place them in a specific location, click the Edit button to the right of Location For New Inventory Provision and then select an appropriate location for each Person provisioned from the Location Selector.
If you are provisioning EmpowerID Persons during inventory and do not select a specific location, EmpowerID places each new Person in the Temporary Location location.
Click OK to close the Location Selector.
If you have one or more domains registered for your Office 365 account other than the default domain given to you by Microsoft, click the Accepted Domains tab.
Click the Add New button.
Enter the UPN suffix for the domain in the Name and Friendly Name fields and then click Save.
As needed, repeat the above two steps for each valid domain.
Click the Details tab to return to the Details view and then navigate to the Inventory pane.
The last action to perform on this screen is to enable inventory. However, before doing so, it is important to review and configure the attribute flow rules for the Office 365 account store to ensure they meet your policy requirements.
Point your browser to the URL for accessing the EmpowerID Web portal in your environment and log in as an administrative user.
From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Attribute Flow Rules page by expanding Admin > Applications and Directories and clicking Attribute Flow Rules.
From the Attribute Flow Rules page, click the Advanced Search drop-down arrow to the right of the search field to open the Advanced Search pane.
Enter the name of your Office 365 account store in the Account Store field and then either click the Search button or press ENTER.
You should see the only the Attribute Flow Rules for your Office 365 account store. By default, the flow rules for each attribute are set to bidirectional. This is the recommended setting; however, you can change these as needed
Click X to close the Advanced Search pane.
Review the flow rules and make changes as needed by clicking the drop-down arrow to the right of the attribute whose flow rule you want to change and then select the appropriate flow rule from the drop-down menu.
When configuring attribute flow rules, the following options are available:
No Sync - When this option is selected, no information flows between EmpowerID and the native system.
Bidirectional Flow - When this option is selected, changes made within EmpowerID update the native system and vice-versa.
Account Store Changes Only - When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.
EmpowerID Changes Only - When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.
After reviewing and making any needed changes to the attribute flow rules, return to the Office 365 Account Store Details screen in Configuration Manager.
From the Inventory pane, toggle the red sphere to the left of Enable Inventory to a green check box. This allows EmpowerID to inventory your Office 365 and create the appropriate user accounts and Person objects (when Person Provisioning is enabled for the account store) in EmpowerID.
If your Office 365 subscription includes Exchange Online, you can configure EmpowerID to inventory and enforce permissions for Exchange, as well as to perform batch processing for Exchange Online actions. For more information, see Configuring EmpowerID for Exchange Online Management.