This connector supports both identity and Provisioning.
The Identity functionalities of this connector enable you as an Identity administrator to configure Microsoft Office 365 REST as a connected system and then make Identity users part of the Microsoft Office 365 system. This enables the user or Identity administrator to reset Microsoft Office 365 account passwords. This also enables you to enable/disable a user account.
The Provisioning functionalities of this connector enable exporting and importing user accounts and groups on a Microsoft Office 365 system.
This connector supports:
- Managing Mailboxes and Contacts of a user.
- Assigning Licenses to users.
- Assigning security and Office 365 group membership to users.
- Managing security and Office 365 groups.
Functionalities
Identity Integration
Product Feature | Supported |
---|---|
Authenticate | Yes |
Validate User | Yes |
Enable/Disable User | Yes |
Reset Password | Yes |
Expire Password Immediately | Yes |
Expire Password by Date | No |
Provisioning Integration
Data Format | Export | Create | Modify | Delete | Trigger |
---|---|---|---|---|---|
User | Yes |
Yes | Yes | Yes | No |
Group | Yes |
Yes | Yes | Yes | No |
Prerequisites
Ensure that these prerequisites are satisfied:
Office 365 Application Registration
Connection Information for Identity
Setting the Permissions
Office 365 Application Registration in Azure Portal
- Sign in to https://portal.azure.com with Microsoft account.
- In the home page, click Azure Active Directory from the menu loaded in left side panel.
- Click App registrations menu under Manage from the new page loaded.
To register a new application, click New registration button from top panel.
-
In the registration form:
- Name – Give any name for your application.
- Supported account types – Choose any radio button based on your needsRegister the application by clicking Register button.
-
Redirect URI – Select Web from the combo box and give the redirect url in the text field as "https://localhost:8080/identity/fiscauth" with "https://localhost:8080" replaced by the address of one of your identity instances or identity load balancer.
- Register the application by clicking Register button.
- After successful registration, the page will load the information about the new application such as Display name, Application id, Tenant id, Object id etc.
Connection Information for Identity
- To establish connection with this app using our application, we need Tenant id, Application id and Application secret.
Tenant id – Directory id of your domainApplication id – Created while registering the application.
Application secret – To be generated by following steps:
- Click Certificates & secrets menu from left panel.
- Under the Client secrets section, click New client secret button.
- Give the description and choose the secret expiration period as per your wish and click add.
- Now the Application secret (value) is listed under the Client secrets section with Description and Expires.
- Note the secret and keep it safe for future use as we cannot access/copy it again once we navigate away from the screen. If you lose the secret, you will have to create a new one.
Setting the Permissions
- Give API permissions to our application to use the APIs. This can be done by following steps.
-
Click API permissions menu under manage in the left panel.
Click Add a permission button under API permissions section.
From the new window select Microsoft Graph under Microsoft APIs tab. It will load two types of permissions, Delegated permissions and Application permissions. You have to add permissions for each based on the below table.
Delegated permissions
Permissions
Description
User operations
User.ReadWrite.All
Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on your behalf.
Group operations
Group.ReadWrite.All
Allows the app to create groups and read all group properties and memberships on your behalf. Additionally allows the app to manage your groups and to update group content for groups you are a member of.
Role operations
Directory.ReadWrite.All
Allows the app to read and write data in your organization's directory, such as other users, groups. It does not allow the app to delete users or groups, or reset user passwords.
Application permissions
Permissions
Description
Contacts operations
Contacts.ReadWrite
Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user.
Mailbox settings operations
MailboxSettings.ReadWrite
Allows the app to create, read and update user's mailbox settings without a signed-in user. Does not include permission to send mail.
To manage user accounts, the user should have User management administrator role. But using this role we cannot reset passwords of global admin or delete global admin accounts. Only the global admin has privileges to do all operations.
-
Creating and Managing the Connected System
Connected system can be managed from both Admin UI and Workflow and Connectivity studio. The step by step explanation to create is provided in the following sub sections. Clicking on the connected system from the listing page(admin UI)/selecting the desired system and clicking on View button(Studio) will take you to a detail page where you can can manage the connected system.
Create from Admin UI
Log in to Identity Administration and click the Systems tab.
-
On the Connected System View page, click the Add button and select the Microsoft Office 365 REST connected system from the Type drop-down list. The Connected System Details page displays the default values:
-
Enter the desired information:
Definition Supported Connectors
Displays whether the connected system is Identity only, Provisioning only, or both. Type Select the connected system type. Locale
Select the preferred language (default: English). Locale specific information such as Display Name and Description can be added only while modifying the connected system. Name The name for this connected system. Note: The name cannot be modified later. Display Name The display name of the new connected system. Description The description of the connected system. Associated With
Select how the connector associated with this system will run:
- Server (default) - Runs locally on the Provisioning/Identity Server.
- Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
- See Using the Global Identity Gateway with Connected Systems for additional information.
Password Reset By Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users: - OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
- Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
- External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.
Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
Provisioning Option Select the provisioning option: - Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
- Administrative - The connected system cannot be used as an object in a workflow.
Enable HPAM Support
Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity.Connection Information Tenant Id
The unique ID of the tenant to perform the operation on. If this is not provided, then the value will default to the tenant of the current user. This parameter is only applicable to partner users. Application Id The application Id of registered Microsoft Office 365 application. Application Secret The secret key of registered application. Access Tokens (JSON)
Access Token (JSON) generated using the Application ID and Application Secret. In order to generate a token, click the Get Token button. In the window that follows, enter the userid and password of the Microsoft Office 365 administrative account. Copy the Token that is generated and paste it in Access Tokens (JSON) field Password Expiration Support Expiration Options For Admin/OBO User Password Reset
Specify the password expiration: None, Immediate, or Immediate. System Owner Add or Remove users assigned as the owners of the system. Displays the Connected System Owner Search page for selecting users. The HPAM column indicates whether the system owner is authorized to use the HPAM feature. The Approvers column indicates whether the system owner is an approver in the approval process. Add PswdPolicy / Remove PswdPolicy
Adds/removes a password policy to/from this connected system. If the connected system is associated with a Connected System Group, the buttons will be unavailable - all password policy assignments are defined at the group level (refer to Admin UI _ Systems _ Groups option). -
Click the Test Connection button to test the Connection Information:
- If successful, one or both of these messages may display:
Message: Connection from Provisioning to the connected system was established successfully.
Message: Connection from Identity to the connected system was established successfully.- If unsuccessful, one or both of these messages may display:
Error: Failed to establish connection from Provisioning to the connected system.
Error: Failed to establish connection from Identity to the connected system.
Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning and Identity logs. -
(Optional) To select owners of the system, click the System Owner Add button. The Connected System Owner Search page displays:
-
Select the owners and then click the Select button. The system owner displays under the System Owner section:
Note: More than one user can be assigned as an owner.
To add additional system owners, click the Add button.
-
- On the Connected System Details page, click the Add button to save the configured connected system. The Object Category Association page displays a list of categories that are already associated and/or can be selected to add additional associations to this connected system:
Select one or more available object categories or provide search criteria and click the Search button to find specific categories to select. If there are no available categories to select, proceed to Step 7.
Click the Add Association button to associate the selected object categories to the connected system.
Click the Back button to return to the Connected System View page. The new connected system displays in the list.
See Copying, Modifying, and Deleting Connected Systems for additional information.
Creating from Studio
- Log in to the Workflow and Connectivity Studio and click Connectivity ► Add Systems on the menu bar. The Add Connected Systems window displays.
- Select the Microsoft Office 365 REST connected system from the Type drop-down list. The default values display.
-
Enter the desired information:
Definition Type Select the connected system type. Name The name for this connected system. Note: The name cannot be modified later. Display Name The display name of the new connected system. Description The description of the connected system. Supported Connectors Displays whether the connected system is Identity only, Provisioning only, or both. Only connectors that support Provisioning are available here. Associated With Select how the connector associated with this system will run: - Server (default) - Runs locally on the Provisioning/Identity Server.
- Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
Password Reset By Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users: - OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
- Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
- External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.
Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
Provisioning Option
Select the provisioning option:
- Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
- Administrative - The connected system cannot be used as an object in a workflow.
Enable HPAM Support Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity. Connection Information Tenant Id
The unique ID of the tenant to perform the operation on. If this is not provided, then the value will default to the tenant of the current user. This parameter is only applicable to partner users. Application Id The application Id of registered Microsoft Office 365 application. Application Secret The secret key of registered application. Access Tokens (JSON)
Access Token (JSON) generated using the Application ID and Application Secret. In order to generate a token, click the Get Token button. In the window that follows, enter the userid and password of the Microsoft Office 365 administrative account. Copy the Token that is generated and paste it in Access Tokens (JSON) field Password Expiration Support Expiration Options For Admin/OBO User Password Reset
Specify the password expiration: None or Immediate. - Click the Connect button to test the Connection Information:
-
- If successful, this message displays:
Message: Connection from Studio to the connected system was established successfully.
Message: Connection from Identity to the connected system was established
-
- If unsuccessful, this message displays:
Error: Failed to establish connection from Studio to the connected system.
-
-
Click the Apply button to apply changes. The Category Association window displays.
Select one or more object categories from the Available Categories list or enter a category name and click the Search button to find a specific category to select. If there are no available categories to select, proceed to Step 6.
Click the Add button to associate the selected object categories to the connected system.
- Click OK to accept selected categories.
-
Select one or more object categories from the Available Categories list or enter a category name and click the Search button to find a specific category to select. If there are no available categories to select, proceed to Step 6.
Click the Add button to associate the selected object categories to the connected system.
See Copying, Modifying, and Deleting Connected Systems for additional information.
Using the Connected System for Identity
Perform these procedures to configure the connector:
- Connector Details for Identity
- Identity Password Management
Connector Details for Identity
Field | System Attribute | Example Value |
---|---|---|
Login ID | UserPrincipalName | APhilip@fischerdemo.onmicrosoft.com |
Account ID | id | 453647ec-22b0-4b8c-9936-2edebf771582 |
Identity Password Management
See User Management for details on password management.
Using the Connected System for Provisioning
Perform these procedures to configure the connector:
- Configuring for Export
- Configuring for Import
- Connector Details for Provisioning
Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode.
Configuring for Export
Perform these procedures to configure the connector for data export:
- Configuring the Export Connector
- Configuring the Export Link
From the Workflow and Connectivity Studio, select the Microsoft Office 365 REST UserExport workflow listed under the projects folder.
If a workflow does not already exist, create an export workflow. See Workflow and Connectivity Studio for details on creating export workflows.
Configuring the Export Connector
- In the Design pane, double-click the export object (the first workflow object after the Start object). The Configure Data Source window displays:
-
From the Configure Plug-in tab, set these properties as required:
Associated Connected System Select the connected system from the list. The export operation will be done from this connected system. Data Formats Select the type of data format to use: Profiles (default) or ChangeLog. DeltaExportMode
Select the type of attribute to export if a change takes place (this works in conjunction with ExportMode when DeltaExport is selected):
- OnlyChangedAttributes - Performs a partial export of only the changed attributes from the last time the query was run.
- ChangedAndMandatoryAttributes (default) - Performs a partial export of both changed and mandatory attributes from the last time the query was run. Mandatory attributes are exported whether they have been changed or not.
- AllAttributes - Performs a full export of all attributes that contain a value.
DynamicConnectedSystem Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected. DynamicConnectedSystemOption Select how to control Dynamic System Support (DSS): - None - There will not be any Dynamic System Support.
- Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.
- GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
ExportMode
Select the type of data to export:
- FullExport - Exports all attributes.
- DeltaExport - Exports changed, mandatory, or all attributes, depending on the DeltaExportMode property setting.
Filter Specify search criteria to determine the objects to be exported from the container specified in ExportDN. Use the Set Filter button that becomes active to create a filter. See "Set Filter" on page 34 for additional information. GetUserByIdOrUPN
Option to fetch the details of an entry by providing id or userPrincipalName. Note: This property is available in User data format only. GetGroupByID
Option to fetch the details of a group by providing id. Note: This property is available in Group data format only. MaxResults
Select the maximum number of results to be returned. ResultsPerPage Configuration to control the number of items to be fetched per page Note: Hover the pointer over a property to view its description. Set Filter
Setting the filter is a means to narrow the scope and return specific results
Description | |
Attribute |
Select the attribute of the filter. This represents the attribute name for searching the Microsoft Office 365 system. |
Comparison |
Select the operator value for this filter. |
AND Condition List |
Creates an AND statement comparing selected conditions. If there is more than one condition in this list box, all conditions must be true. |
Filter Syntax |
Displays the filter syntax used to retrieve entries from the LDAP directory and to build the export list. |
Using logical AND/OR, generate the complex filter to narrow the search result.
Click OK when complete to return to the Configure Data Source window.
Configuring the Export Link
-
In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. The Configure Link window displays:
Description Source Attributes Select the attributes to export. Format Displays the Format Date window to specify a date/time format to be applied to the selected date type attribute, for example, when changed. During export, the attribute’s value is converted to the specified format. See the Format Date steps below for additional information.
Notes:- The Format button is only enabled for date attributes.
- The Refresh Schema button on the Configure Data Source window’s Attributes tab must be used to refresh the schema and enable the Format button for date attributes.
Advanced Settings Displays the Configure Attributes window for configuring advanced settings for attributes. See the Configure Attributes window on page 39 for additional information. - From the Attribute Selection tab, select attributes to export.
- (Optional) Click the Format button to specify a date/time format to be applied to the selected date type attribute. The Format Date window displays.
- Select the Include Time check box to add the timestamp with the date.
- Select the 24 Hour or 12 Hour option button and then select the required date/time format.
- Click OK to save the selected format. The Configure Link window displays.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
- Deploy the workflow by selecting Deploy ► New Deployment. See the Workflow and Connectivity Studio documentation for details of deployment options.
- Manage and run the deployed workflow from the Admin UI ► Server tab. See the Identity Suite Administration documentation for details.
Configuring for Import
Perform these procedures to configure the connector for data import:
- Configuring the Import Connector
- Configuring the Import Link
From the Workflow and Connectivity Studio, select the Microsoft Office 365 REST UserAdd UserAdd, UserModify, or UserDelete workflow listed under the projects folder.
If a workflow does not already exist, create an import workflow. See the Workflow and Connectivity Studio documentation for details on creating import workflows.
Configuring the Import Connector
- In the Design pane, double-click the import object (the last workflow object). The Configure Data Source window displays:
-
From the Configure Plug-in tab, set these properties as required:
Associated Connected System Select the connected system from the list. The import operation will be done to this connected system. Data Formats Select the type of data format to use: Profiles (default) or ChangeLog. DynamicConnectedSystem Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected. DynamicConnectedSystemOption Select how to control Dynamic System Support (DSS): - None - There will not be any Dynamic System Support.
- Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.
- GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
See the Dynamic System Support appendix in the Workflow and Connectivity Studio document for additional information.
Id * Enter the attribute that contains the value used to uniquely identify the user account user ID on the connected system. loginId * Enter the attribute that contains the value used to uniquely identify the user account login ID on the connected system. Notes:
* accountDN, Id, and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_DN, ACCOUNT_ID, and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
Hover the pointer over a property to view its description. (Optional) Select the Attributes tab. Only standard attributes display:
Modify schema attributes with the buttons.- (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Configuring the Import Link
-
In the Design pane, double-click the import link between the Data Mapper object and the import object (the last workflow object). The Configure Link window displays:
Select attributes or find attribute. Source Attributes Select the attributes to import. Check for attribute-level auditing.
If auditing is enabled and these attributes below are checked, Provisioning will log all events for auditing purposes. Selected Attributes Displays default attributes and those attributes that have been selected from the Source Attributes. Note: The default attributes are those that are commonly used to create a new user. Advanced Settings Displays the Configure Attributes window for configuring advanced settings for attributes. Under the Encrypted column, check the box of any attribute that needs to be encrypted.
Under the Diff With Target column, check the box of any attribute to update using differencing (DiffWithTarget, AddDiffWithTarget, and RemoveDiffWithTarget).Key Attribute
Select the attribute to be used as the key attribute. From the Attribute Selection tab, select attributes to import.
(Optional) Select the Appearance tab to change how the link displays in the Design pane.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Deploy the workflow by selecting Deploy ► New Deployment. See the Workflow and Connectivity Studio for details of deployment options.
Manage and run the deployed workflow from the Admin UI ► Server tab. See the Identity Suite Administration documentation for details.
Connector Details for Provisioning
Configuration import properties accountDN, Id, and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_DN, ACCOUNT_ID, and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
Configuration Import Properties
Identity Property | System Attribute |
---|---|
id | username |
login id | UserPrincipalName |
Connector Attributes
The items in the Export, Create, Modify, and Delete columns have these meanings:
- Y = Yes (attribute is supported for this operation)
- N = No (attribute is not supported for this operation)
User Data Format
User data format can be used for the following:
- Export users with mailbox, contacts, license and group/role membership details
- Create/modify/delete users
- Assign/remove licenses
- Add/remove group and role memberships
- Manage mailbox settings
Add/modify/remove contacts
Connector Attributes
Name | Type | MultiValued | Export | Import |
---|---|---|---|---|
accountEnabled |
Boolean |
N |
Y |
Y |
ageGroup |
String |
N |
Y |
Y |
assignedLicenses->disabledPlans |
String |
Y |
Y |
Y |
assignedLicenses->skuId |
String |
N |
Y |
Y |
assignedPlans->assignedDateTime |
DateTime |
N |
Y |
N |
assignedPlans->capabilityStatus |
Boolean |
N |
Y |
N |
assignedPlans->service |
String |
N |
Y |
N |
assignedPlans->servicePlanId |
String |
N |
Y |
N |
businessPhones |
String |
N |
Y |
Y |
companyName |
String |
N |
Y |
Y |
consentProvidedForMinor |
String |
N |
Y |
Y |
contact->assistantName |
String |
N |
Y |
Y |
contact->birthday |
String |
N |
Y |
Y |
contact->businessAddress->city |
String |
N |
Y |
Y |
contact->businessAddress->countryOrRegion |
String |
N |
Y |
Y |
contact->businessAddress->postalCode |
String |
N |
Y |
Y |
contact->businessAddress->state |
String |
N |
Y |
Y |
contact->businessAddress->street |
String |
N |
Y |
Y |
contact->businessHomePage |
String |
N |
Y |
Y |
contact->businessPhones |
String |
N |
Y |
Y |
contact->categories |
String |
N |
Y |
Y |
contact->changeKey |
String |
N |
Y |
Y |
contact->children |
String |
N |
Y |
Y |
contact->companyName |
String |
N |
Y |
Y |
contact->createdDateTime |
DateTime |
N |
Y |
Y |
contact->department |
String |
N |
Y |
Y |
contact->displayName |
String |
N |
Y |
Y |
contact->emailAddresses->address |
String |
N |
Y |
Y |
contact->emailAddresses->name |
String |
N |
Y |
Y |
contact->fileAs |
String |
N |
Y |
Y |
contact->generation |
String |
N |
Y |
Y |
contact->givenName |
String |
N |
Y |
Y |
contact->homeAddress->city |
String |
N |
Y |
Y |
contact->homeAddress->countryOrRegion |
String |
N |
Y |
Y |
contact->homeAddress->postalCode |
String |
N |
Y |
Y |
contact->homeAddress->state |
String |
N |
Y |
Y |
contact->homeAddress->street |
String |
N |
Y |
Y |
contact->homePhones |
String |
N |
Y |
Y |
contact->id |
String |
N |
Y |
Y |
contact->imAddresses |
String |
N |
Y |
Y |
contact->initials |
String |
N |
Y |
Y |
contact->jobTitle |
String |
N |
Y |
Y |
contact->lastModifiedDateTime |
DateTime |
N |
Y |
Y |
contact->manager |
String |
N |
Y |
Y |
contact->middleName |
String |
N |
Y |
Y |
contact->mobilePhone |
String |
N |
Y |
Y |
contact->nickname |
String |
N |
Y |
Y |
contact->officeLocation |
String |
N |
Y |
Y |
contact->otherAddress->city |
String |
N |
Y |
Y |
contact->otherAddress->countryOrRegion |
String |
N |
Y |
Y |
contact->otherAddress->postalCode |
String |
N |
Y |
Y |
contact->otherAddress->state |
String |
N |
Y |
Y |
contact->otherAddress->street |
String |
N |
Y |
Y |
contact->parentFolderId |
String |
N |
Y |
Y |
contact->personalNotes |
String |
N |
Y |
Y |
contact->profession |
String |
N |
Y |
Y |
contact->spouseName |
String |
N |
Y |
Y |
contact->surname |
String |
N |
Y |
Y |
contact->title |
String |
N |
Y |
Y |
contact->yomiCompanyName |
String |
N |
Y |
Y |
contact->yomiGivenName |
String |
N |
Y |
Y |
contact->yomiSurname |
String |
N |
Y |
Y |
country |
String |
N |
Y |
Y |
createdDateTime |
DateTime |
N |
Y |
N |
department |
String |
N |
Y |
Y |
displayName |
String |
N |
Y |
Y |
employeeId |
String |
N |
Y |
Y |
faxNumber |
String |
N |
Y |
Y |
givenName |
String |
N |
Y |
Y |
id |
String |
N |
Y |
Y |
imAddresses |
String |
N |
Y |
N |
jobTitle |
String |
N |
Y |
Y |
legalAgeGroupClassification |
String |
N |
Y |
N |
licenseAssignmentStates->assignedByGroup |
String |
N |
Y |
N |
licenseAssignmentStates->disabledPlans |
String |
Y |
Y |
N |
licenseAssignmentStates->error |
String |
N |
Y |
N |
licenseAssignmentStates->skuId |
String |
N |
Y |
N |
licenseAssignmentStates->state |
String |
N |
Y |
N |
String |
N |
Y |
N |
|
mailboxSettings->archiveFolder |
String |
N |
Y |
N |
mailboxSettings->automaticRepliesSetting- >externalAudience |
String |
N |
Y |
Y |
mailboxSettings->automaticRepliesSetting- >externalReplyMessage |
String |
N |
Y |
Y |
mailboxSettings->automaticRepliesSetting- >internalReplyMessage |
String |
N |
Y |
Y |
mailboxSettings->automaticRepliesSetting- >scheduledEndDateTime->dateTime |
DateTime |
N |
Y |
Y |
mailboxSettings->automaticRepliesSetting- >scheduledEndDateTime->timeZone |
String |
N |
Y |
Y |
mailboxSettings->automaticRepliesSetting- >scheduledStartDateTime->dateTime |
DateTime |
N |
Y |
Y |
mailboxSettings->automaticRepliesSetting- >scheduledStartDateTime->timeZone |
String |
N |
Y |
Y |
mailboxSettings->automaticRepliesSetting->status |
String |
N |
Y |
Y |
mailboxSettings->language->displayName |
String |
N |
Y |
N |
mailboxSettings->language->locale |
String |
N |
Y |
Y |
mailboxSettings->timeZone |
String |
N |
Y |
Y |
mailboxSettings->workingHours->daysOfWeek |
String |
N |
Y |
Y |
mailboxSettings->workingHours->endTime |
DateTime |
N |
Y |
Y |
mailboxSettings->workingHours->startTime |
DateTime |
N |
Y |
Y |
mailboxSettings->workingHours->timeZone->name |
String |
N |
Y |
Y |
mailNickname |
String |
N |
Y |
Y |
memberOf->description |
String |
N |
Y |
N |
memberOf->displayName |
String |
N |
Y |
N |
memberOf->groupTypes |
String |
N |
Y |
N |
memberOf->id |
String |
N |
Y |
Y |
memberOf->mail |
String |
N |
Y |
N |
memberOf->mailEnabled |
Boolean |
N |
Y |
N |
memberOf->mailNickname |
String |
N |
Y |
N |
memberOf->odataType |
String |
N |
Y |
Y |
memberOf->securityEnabled |
Boolean |
N |
Y |
N |
memberOf->visibility |
String |
N |
Y |
N |
mobilePhone |
String |
N |
Y |
Y |
officeLocation |
String |
N |
Y |
Y |
onPremisesDistinguishedName |
String |
N |
Y |
N |
onPremisesDomainName |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute1 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute10 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute11 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute12 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute13 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute14 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute15 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute2 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute3 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute4 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute5 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute6 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute7 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute8 |
String |
N |
Y |
N |
onPremisesExtensionAttributes->extensionAttribute9 |
String |
N |
Y |
N |
onPremisesImmutableId |
String |
N |
Y |
Y |
onPremisesLastSyncDateTime |
DateTime |
N |
Y |
N |
onPremisesProvisioningErrors->category |
String |
N |
Y |
Y |
onPremisesProvisioningErrors->occurredDateTime |
DateTime |
N |
Y |
Y |
onPremisesProvisioningErrors->propertyCausingError |
String |
N |
Y |
Y |
onPremisesProvisioningErrors->value |
String |
N |
Y |
Y |
onPremisesSamAccountName |
String |
N |
Y |
N |
onPremisesSecurityIdentifier |
String |
N |
Y |
N |
onPremisesSyncEnabled |
Boolean |
N |
Y |
Y |
onPremisesUserPrincipalName |
String |
N |
Y |
N |
otherMails |
String |
Y |
Y |
Y |
passwordPolicies |
String |
N |
Y |
Y |
passwordProfile->forceChangePasswordNextSignIn |
String |
N |
N |
Y |
passwordProfile- >forceChangePasswordNextSignInWithMfa |
String |
N |
N |
Y |
passwordProfile->password |
String |
N |
N |
Y |
postalCode |
String |
N |
Y |
Y |
preferredDataLocation |
String |
N |
Y |
Y |
preferredLanguage |
String |
N |
Y |
Y |
provisionedPlans->capabilityStatus |
Boolean |
N |
Y |
N |
provisionedPlans->provisioningStatus |
String |
N |
Y |
N |
provisionedPlans->service |
String |
N |
Y |
N |
proxyAddresses |
String |
Y |
Y |
N |
showInAddressList |
String |
N |
Y |
Y |
state |
String |
N |
Y |
Y |
streetAddress |
String |
N |
Y |
Y |
surname |
String |
N |
Y |
Y |
usageLocation |
String |
N |
Y |
Y |
userPrincipalName |
String |
N |
Y |
Y |
userType |
String |
N |
Y |
Y |
Notes:
- Mandatory attributes to add a user are: displayName, mailNickname, userPrincipalName, accountEnabled, passwordProfile->password.
- To assign license to a user, the user should have usageLocation attribute value.
- To modify or delete a user, id is mandatory.
-
assignedLicenses->skuId attribute is mandatory to add/remove license.
- memberOf->id and memberOf->odataType attributes are mandatory to add/remove group/role memberships. The value of memberOf->odataType should be given as “#microsoft.graph.group” for groups and “#microsoft.graph.directoryRole” for roles.
- contact->givenName attribute is mandatory to add a contact. contact->id is mandatory to modify/ delete contacts.
- Mailbox and Contacts cannot be added for a user if the user does not have the required license.
Group Data Format
Group data format can be used to
- Export security groups, mail-enabled security groups, distribution groups and office 365 groups with members.
- Create/Modify/Delete security groups and office 365 groups. The Group data format will not create or modify mail-enabled security groups and distribution groups, but can delete those.
- Add/remove members to/from security groups and office 365 groups.
Connector Attributes
Name | Type | MultiValued | Export | Import |
---|---|---|---|---|
assignedLicenses->disabledPlans |
String |
Y |
Y |
N |
assignedLicenses->skuId |
String |
N |
Y |
N |
classification |
String |
N |
Y |
Y |
createdDateTime |
DateTime |
N |
Y |
N |
description |
String |
N |
Y |
Y |
displayName |
String |
N |
Y |
Y |
groupTypes |
String |
N |
Y |
Y |
id |
String |
N |
Y |
Y |
licenseProcessingState |
String |
N |
Y |
N |
String |
N |
Y |
N |
|
mailEnabled |
Boolean |
N |
Y |
Y |
mailNickname |
String |
N |
Y |
Y |
members->displayName |
String |
N |
Y |
N |
members->id |
String |
N |
Y |
Y |
members->odataType |
String |
N |
Y |
Y |
members->userPrincipalName |
String |
N |
Y |
N |
onPremisesLastSyncDateTime |
DateTime |
N |
Y |
N |
onPremisesProvisioningErrors |
String |
N |
Y |
Y |
onPremisesSecurityIdentifier |
String |
N |
Y |
N |
onPremisesSyncEnabled |
Boolean |
N |
Y |
N |
preferredDataLocation |
String |
N |
Y |
Y |
proxyAddresses |
String |
Y |
Y |
N |
renewedDateTime |
DateTime |
N |
Y |
N |
securityEnabled |
Boolean |
N |
Y |
Y |
visibility |
String |
N |
Y |
Y |
Notes:
- Mandatory attributes to add a group are: displayName, mailEnabled, securityEnabled, mailNickname.
- To modify or delete a group, id is mandatory.
- members->id and members->odataType attributes are mandatory to add/remove members to/from group. The value of members->odataType should be given as “#microsoft.graph.user” for user and “#microsoft.graph.group” for group.
Entitlement Support
This connector supports both static (attributes, groups and roles) and dynamic entitlements (dynamic fetching of groups and roles). Only security and Office 365 groups are supported as entitlements. It does not support mail-enabled security groups and distribution groups.
Entitlements are configured from the Admin UI ► Server ► Resources. See the Resource Management chapter in the Identity Suite Administration Guide for details on resources.
To configure entitlements
- On the Resource Detail page, under Entitlement Options, click Add button. The Entitlement Search page displays:
- Select the Entitlement Type, Groups or Roles. Enter Search Criteria, if any and click Search. Provisioning Entitlements View displays:
-
To add a Static Entitlement, click Add Static Entitlement button in Resource Detail page. Enter a desired Name, Value (existing Attribute, Group or Role within Office 365), and a Description.
To view entitlements that have been provisioned for existing users:
-
From the Admin UI ► Users ► Search Users to Modify ► User Access View page, all entitlements associated for the user are listed.
Lookup Data
To lookup data from Microsoft Office 365, use the Data Mapper rule Lookup Data.
- Log in to the Workflow and Connectivity Studio and double-click the Data Mapper object on the Design pane. The Configure Data Mapper window displays.
- Select the Lookup Data rule under the Mapping Rule column and then click the Source Value. The Configure Lookup window displays.
-
Select the Microsoft Office 365 REST system from the Select System drop-down list:
- In the Enter Lookup Prefix field, enter the prefix to be added to the Lookup fields.
- Select the Lookup Type, User or Group from the drop-down list.
- For User lookup, select By User ID, By User Principal Name or By Filter option.
For User By User ID lookup, click the User ID Pick button to select the User ID input attribute and click OK.
For User By User Principal Name lookup, click the User Principal Name Pick button to select the User Principal Name input attribute and click OK.
-
For User By Filter lookup, click the Build button along the Filter and build a filter to use for lookup and click OK
.
-
For Group lookup, select By Group ID or By Filter option.
For Group By Group ID lookup, click the Group ID Pick button to select the Group ID input attribute and click OK.
For Group By Filter lookup, click the Build button along the Filter and build a filter to use for lookup and click OK.
Click the Fields Pick button to select the attributes to be fetched after a successful lookup.
Select the Exit as Mapper Task Failed on Lookup Failure check box to exit the task with Failed status on lookup failure. It will not process the succeeding entries and will ignore the already processed entries and will not return any data. This is selected by default.
Click OK.