Creating Provisioning Policies for Exchange Mailboxes

In EmpowerID, Provisioning policies, also known as "Resource Entitlements" or "RETS," are policies that can be created to automate the provisioning, moving, disabling and de-provisioning of resources to users based on their meeting certain qualifying criteria, such as belonging to a specific group, Management Role, Business Role and Location, or Query-Based Collection. Once a policy is created and enabled, EmpowerID continuously evaluates the policy to determine who should and should not have the resource specified by the policy.

Prerequisites -
Before you can create a Provisioning policy for an Exchange Mailbox, the following prerequisites need to be met:
  • EmpowerID must first be connected to Active Directory. For the details, see Connecting to Active Directory.
  • For Exchange mailboxes, you must have an Active Directory with an Exchange Organization
  • RET provisioning and RET deprovisioning must be enabled on the Active Directory account store.
    • To Enable RET Provisioning and Deprovisioning
      1. Log in to the EmpowerID Management Console as an administrator.
      2. From the EmpowerID Management Console, navigate to Configuration Manager by clicking the EmpowerID icon and selecting Configuration Manager from the context menu.
      3. In Configuration Manager, expand the User Directories node in the application navigation tree to the left and click Account Stores.
      4. Locate your Active Directory account store in the grid, right-click it and select Edit from the context menu.
      5. In the General pane of the Account Store Details screen for your Active Directory that appears, verify that Allow RET Provisioning and Allow RET De-Provisioning is enabled (green check mark beside each line). If these settings are not enabled, toggle each from a red sphere to a green check mark, so that they look like the below image.
  • Optional - If your organization wants the ability to approve or deny RETs on either a case-by-case basis or in batches, then you must enable both the Resource Entitlement Inbox Processor Job and the Resource Entitlement Recalculation Job on at least one EmpowerID server. If these jobs are not enabled, the default RET Provisioning and Transforming workflows will auto-provision all RETs. No approval processes will be involved.
    • To Enable RET Jobs
      1. In Configuration Manager, click the EmpowerID Servers and Roles node.
      2. Check the Resource Entitlement INbox Processor Job and Resource Entitlement Recalculation Job on at least one EmpowerID Server.

This topic demonstrates how to create a RET policy that automates the provisioning and de-provisioning of Exchange mailboxes and is divided into the following activities:

  1. Creating a provisioning policy for Exchange mailboxes
  2. Assigning the provisioning policy to a specific target
    Provisioning policies can be targeted against any number or combination of Management Roles, groups, Business Roles and Locations, Query-Based collections, as well as individual people.
  3. Approving the pending RETs
  4. Verifying the policy created the Exchange mailboxes in Exchange

To create a RET that provisions Exchange mailboxes

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Provisioning Policies management page by expanding Admin > Policies and clicking Provisioning Policies (RETS).
  2. From the Provisioning Policies management page, click the Actions tab and then click the Create Provisioning Policy tile.
  3. In the Choose Type section of the Policy Details form that appears, select Exchange User Mailbox from the Object Type To Provision drop-down.
  4. In the General section of the form, do the following:
    1. Type a name and display name for the policy in the Name and Display Name fields, respectively. These fields are required.
    2. Optionally, type a description for the policy in the Description field and specify the mailbox load balancing group in the Mailbox Load Balancing Group field.
    3. Select your Exchange organization from the Exchange Organization drop-down.
    4. Select the Active Directory domain with the Exchange organization from the Depends on Resource System drop-down. This specifies that the user must have an AD account in that domain before the mailbox can be provisioned.
    5. The General section of the form should look similar to the below image.

    • All Provisions Require Approval - If this option is selected, the provisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
    • All Deprovisions Require Approval - If this option is selected, the deprovisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
    • Require Approval if Provision Batch Larger Than Threshold - This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the provisions. If the threshold is reached, EmpowerID will not provision any of the accounts until approval is granted.
    • Require Approval if Deprovision Batch Larger Than Threshold - This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the deprovisions. If the threshold is reached, EmpowerID will not deprovision any of the accounts until approval is granted.
    As a best practice, when testing provisioning policies, you should select All Provisions Require Approval and All Deprovisions Require Approval to become familiar with how EmpowerID processes RETs. Then, when moving to production, you can set the approval thresholds to a number that makes sense for your environment.

    In our example, we have selected All Provisions Require Approval and All Deprovisions Require Approval, meaning that the provisioning and deprovisioning of all mailboxes must be approved before those mailboxes will be processed by RET Inbox.

  5. In the Advanced section of the form, do the following:
    1. Select Do Nothing from the On Claim Action drop-down. This tells EmpowerID to simply mark any previous resources assigned to the user that match this policy as RET-managed resources. For example, if the user already has an Exchange mailbox and is placed in a Management Role targeted by the RET policy, EmpowerID marks that user's mailbox as RET managed.
    2. Select Deprovision from the On Revoke Action drop-down. This tells EmpowerID to delete the mailbox if the person no longer meets the criteria to receive the resource from the RET, such as would occur if the person was terminated or removed from a qualifying Management Role, group, Business Role and Location or Query-Based Collection.
    3. The Advanced section of the form should look similar to the following image:

    4. Leave the Creation Location Path Resolver Assembly and Creation Location Path Resolver Type fields empty. These fields allow you to use a custom assembly to set where an account (or any RET that requires a path) should be created.
  6. Back in the main form, click Save.
  7. Next, assign the policy you just created to one or more targets as demonstrated below.

To assign the Exchange Mailbox RET policy to a target

  1. Scroll to the Policy Assigned To section of the Policy Details form and click the Add (+) button underneath the specific target type to which you want to assign the RET. In our example, we are assigning the policy to the Contractor in All Business Locations Business Role and Location so we are clicking the Add (+) button in the Business Role and Locations pane of the section. In this way, each Person who has the Contractor Business Role in any location will receive a mailbox.
  2. This opens the Add Entry pane, which is where you select the specific actor you want to assign the policy to. Because we are assigning the policy to a Business Role and Location, the Add Entry pane is contextualized for that actor type.

  3. From the Add Entry pane, click the Select a Role and Location link.
  4. In the Business Role and Location selector that appears, do the following:
    1. Search for and select the Business Role to which you want to assign the policy. In our example, we are assigning the policy to the Contractor Business Role, so we have selected Contractor.
    2. Click the Location tab and then search for and select the Location. In our example, we want the policy to be applied to all contractors within any business location of the default organization regardless of their location, so we have selected Anywhere.
  5. Click Select to close the Business Role and Location selector.
  6. Type a number to specify the priority for the RET policy in the Priority field. This value is used to determine the priority of the RET if the user qualifies for the same RET by virtue of another assignment, such as being a member of a group that has the same policy.
  7. Click Save.
  8. Back in the main form, click Save.
  9. If you selected Approve All Provisions, you must manually approve each item in the Resource Entitlement Inbox for this policy before EmpowerID will provision the mailboxes. This is demonstrated in the next section.

To approve pending RETs

  1. From the Navigation Sidebar, navigate to the RET Inbox by expanding System Logs and clicking Provisioning (RET) Inbox.
  2. Click the Pending Approval tab. You should see a list of all RETS requiring approval.
  3. If you do not see a list of RETS pending approval, allow several minutes for EmpowerID to process the RET policy and then press the Search button.

  4. To approve a RET, click the Approve drop-down and select Approve from the menu.
  5. Repeat step 3 for each RET you want to approve.
  6. When finished with your approvals, click the shopping cart at the top of the page, type a reason for the approval in the dialog and then click Submit.
  7. Back in the RET Inbox, click the Approved or Rejected tab. You should see the RETS you approved show in the grid with a RET Action of Grant.

To verify the RET policy provisioned mailboxes in Exchange

  1. On your Exchange server, open the Exchange Management Shellrun the following Powershell cmdlet (the cmdlet assumes you provisioned the mailboxes within the last day):

  2. Get-Mailbox -resultsize unlimited | where {$_.WhenMailboxCreated -gt (get-date).adddays(-1)} |ft Name,whenMailboxCreated -Autosize

    You should see the mailboxes provisioned by the RET policy.