This connector supports both identity and Provisioning.
- The Identity functionalities of this connector enable you as an Identity administrator to configure Microsoft Office 365 as a connected system and then make Identity users part of the Microsoft Office 365 system. This enables the user or Identity administrator to reset Microsoft Office 365 account passwords. This also enables you to enable/disable a user account.
- The Provisioning functionalities of this connector enable exporting and importing user accounts on a Microsoft Office 365 system. This connector supports the following entry types: MailBoxes, MailUsers, MailContacts, MsolUsers as well as the assignment of Licenses (SKUs) and Features (Services) to MsolUsers.
Assigning security group membership to MsolUsers.
Functionalities
Identity Integration
Product Feature | Supported |
---|---|
Validate User | Yes |
Enable/Disable User | Yes |
Reset Password | Yes |
Expire Password Immediately | Yes |
Expire Password by Date | No |
Authenticate | Yes |
Provisioning Integration
Data Format |
Export |
Create |
Modify |
Delete |
Trigger |
---|---|---|---|---|---|
User | Yes |
Yes | Yes | Yes | No |
Group | Yes |
Yes | Yes | Yes | No |
* There is not a delete option for Crashplan. To accomplish a delete is to do a deactivation, which is not currently supported in the connector.
Prerequisites
Ensure that these prerequisites are satisfied:
Microsoft Office 365 is installed, configured, and running.
A hosted Office 365 domain for development/testing purposes.
An administrative account with one of the following three permissions assignments,
- The User Management Administrators role with the following specific roles assigned:
Note: "User management administrator "is the minimum administrative access required for the service account.
-
-
Mail Recipient Creation
Mail Recipients
Recipient Policies
Reset Password
Distribution Lists
-
Note: This is the minimum permissions required to provision users and distribution groups.
-
- The User Management Administrators role, and is a member of the Recipient Management role group.
- The Global Administrators role.
Note: The user management administrator is the minimum administrative access required for the service account.
- The Identity and Provisioning (or their GIG) Servers must be running on Windows >= 7 or Windows Server 2008R2.
- Windows PowerShell and the .NET Framework 3.5.1 are enabled.
- Install Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.
-
Install the MSOnline module
- Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator).
- Run the Install-Module MSOnline command.
- If prompted to install the NuGet provider, type Y, and press ENTER.
- If prompted to install the module from PSGallery, type Y and press ENTER.
- Local machine execution policy must allow the execution of RemoteSigned scripts (see Editing the Local Machine Execution Policy below).
Follow the procedure for your operating system.
Windows 10 / Windows Server 2008 R2
- Open Group Policy Editor (gpedit.msc).
- Go to Local Machine Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell\
- Enable ‘Turn on Script Execution’ and select the ‘Allow local scripts and remote signed scripts’ execution policy.
Windows 7
- Download the Administrative Templates for Windows PowerShell from the Microsoft Download Center http://go.microsoft.com/fwlink/?LinkId=131786.
- Open Group Policy Editor (gpedit.msc).
- Under Local Machine Policy ► Computer Configuration, highlight Administrative Templates and select Add\Remove Templates.
- Install the PowerShellExecutionPolicy template.
- Under Administrative Templates -> Classic Administrative Templates -> Windows Components -> Windows PowerShell
- Enable ‘Turn on Script Execution’ and select the ‘Allow local scripts and remote signed scripts’ execution policy.
This sets the execution policy for all scopes. The computer configuration will override all other execution policy settings.
Creating the Connected System
Admin UI
Log in to Identity Administration and click the Systems tab.
-
On the Connected System View page, click the Add button and select the Microsoft Office 365 connected system from the Type drop-down list. The Connected System Details page displays the default values:
-
Enter the desired information:
Definition Supported Connectors Displays whether the connected system is Identity only, Provisioning only, or both.
Password Policy Displays the name of the password policy associated with the connected system.
Connected System Group Displays the name of the system group that includes this connected system.
Note: If a password policy is associated with a connected system and then the connected system is placed in a group, the group’s password policy will override the connected system’s password policy. The password policy will be removed from the connected system.
Type Select the connected system type. Locale Select the preferred language (default: English). Locale specific information such as Display Name and Description can be added only while modifying the connected system.
Name The name for this connected system. Note: The name cannot be modified later. Display Name The display name of the new connected system. Description The description of the connected system. Associated With Select how the connector associated with this system will run:
- Server (default) - Runs locally on the Provisioning/Identity Server.
- Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
- See Using the Global Identity Gateway with Connected Systems for additional information.
Password Reset By Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users: - OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
- Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
- External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.
Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
Provisioning Option Select the provisioning option: - Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
- Administrative - The connected system cannot be used as an object in a workflow.
Enable HPAM Support Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity. Connection Information Exchange Online URL The URL of the Office 365 Server.
Service Account Name The name of the administrative user account used to connect to the server.
Service Account Password The administrative user password.
Tenant Id The unique ID of the tenant to perform the operation on. If this is not provided, then the value will default to the tenant of the current user. This parameter is only applicable to partner users.
Maximum Office 365 Sessions The maximum number of concurrent Office 365 sessions to allow. Office 365 limits the number of concurrent sessions for a single user usually to 3 sessions.
Password Expiration Support Expiration Options For Admin/OBO User Password Reset Specify the password expiration: None, Immediate, or Immediate.
System Owner Add or Remove users assigned as the owners of the system. Displays the Connected System Owner Search page for selecting users. The HPAM column indicates whether the system owner is authorized to use the HPAM feature. The Approvers column indicates whether the system owner is an approver in the approval process. Add PswdPolicy / Remove PswdPolicy Adds/removes a password policy to/from this connected system. If the connected system is associated with a Connected System Group, the buttons will be unavailable - all password policy assignments are defined at the group level (refer to Admin UI _ Systems _ Groups option).
-
Click the Test Connection button to test the Connection Information:
- If successful, one or both of these messages may display:
Message: Connection from Provisioning to the connected system was established successfully.
Message: Connection from Identity to the connected system was established successfully.- If unsuccessful, one or both of these messages may display:
Error: Failed to establish connection from Provisioning to the connected system.
Error: Failed to establish connection from Identity to the connected system.
Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning and Identity logs. -
(Optional) To select owners of the system, click the System Owner Add button. The Connected System Owner Search page displays:
-
Select the owners and then click the Select button. The system owner displays under the System Owner section:
Note: More than one user can be assigned as an owner.
To add additional system owners, click the Add button.
-
- On the Connected System Details page, click the Add button to save the configured connected system. The Object Category Association page displays a list of categories that are already associated and/or can be selected to add additional associations to this connected system:
Select one or more available object categories or provide search criteria and click the Search button to find specific categories to select. If there are no available categories to select, proceed to Step 7.
Click the Add Association button to associate the selected object categories to the connected system.
Click the Back button to return to the Connected System View page. The new connected system displays in the list.
See Copying, Modifying, and Deleting Connected Systems for additional information.
Studio
- Log in to the Workflow and Connectivity Studio and click Connectivity -> Add Systems on the menu bar. The Add Connected Systems window displays.
- Select the Microsoft Office 365 connected system from the Type drop-down list. The default values display.
-
Enter the desired information:
Definition Type Select the connected system type. Name The name for this connected system. Note: The name cannot be modified later. Display Name The display name of the new connected system. Description The description of the connected system. Supported Connectors Displays whether the connected system is Identity only, Provisioning only, or both. Only connectors that support Provisioning are available here. Associated With Select how the connector associated with this system will run: - Server (default) - Runs locally on the Provisioning/Identity Server.
- Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
Password Reset By Enables administrators to configure password management functions normally available to Users and OBO (On Behalf Of) Users: - OBO User Only - Connected system and account association information is displayed only in Self-Service user management (for OBO Users). OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset). End users will not see their accounts on this connected system in Self-Service and Kiosk; therefore, they cannot reset passwords for accounts on this connected system.
- Users and OBO User - Connected system and account association information is displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users can reset passwords for accounts on this connected system. Administrators can perform all user management functions for this connected system (e.g., enable/disable, validate, associate user, and password reset).
- External - Connected system and account association information is not displayed in Self-Service password reset, Self-Service - Kiosk, and Self-Service user management. Self-Service users, Kiosk users, and OBO Users cannot reset passwords for accounts on this connected system.
Note: When user management configuration enables OBO Users to perform password resets, this definition must be set to OBO User Only or Users and OBO User. For connectors that support Provisioning only, there is no password reset capability.
Provisioning Option Select the provisioning option:
- Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
- Administrative - The connected system cannot be used as an object in a workflow.
Enable HPAM Support Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity. Connection Information Exchange Online URL The URL of the Office 365 Server.
Service Account Name The name of the administrative user account used to connect to the server.
Service Account Password The administrative user password.
Tenant Id The unique ID of the tenant to perform the operation on. If this is not provided, then the value will default to the tenant of the current user. This parameter is only applicable to partner users.
Maximum Office 365 Sessions The maximum number of concurrent Office 365 sessions to allow. Office 365 limits the number of concurrent sessions for a single user usually to 3 sessions.
Password Expiration Support Expiration Options For Admin/OBO User Password Reset Specify the password expiration: None or Immediate.
- Click the Connect button to test the Connection Information:
- If successful, one or both of these messages may display:
Connection from Studio to the connected system was established successfully.
- If unsuccessful, one or both of these messages may display:
Failed to establish connection from Studio to the connected system.
Note: If the connection fails, additional messages may display providing more information regarding the failure.
-
Click the Apply button to apply changes. The Category Association window displays.
Select one or more object categories from the Available Categories list or enter a category name and click the Search button to find a specific category to select. If there are no available categories to select, proceed to Step 6.
Click the Add button to associate the selected object categories to the connected system.
Click OK to accept selected categories.
See Copying, Modifying, and Deleting Connected Systems for additional information.
Using the Connected System for Identity
Perform these procedures to configure the connector:
- Connector Details for Identity
- Identity Password Management
Connector Details for Identity
Field | System Attribute | Example Value |
---|---|---|
Login ID | UserPrincipalName | BLANE |
Account ID | UserPrincipalName | BLANE |
Identity Password Management
See User Management for details on password management.
Using the Connected System for Provisioning
Perform these procedures to configure the connector:
- Configuring for Export
- Configuring for Import
- Connector Details for Provisioning
Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode.
Configuring for Export
Perform these procedures to configure the connector for data export:
- "Configuring the Export Connector
- "Configuring the Export Link"
From the Workflow and Connectivity Studio, select the Microsoft Office 365 UserExport workflow listed under the projects folder.
If a workflow does not already exist, create an export workflow. See Workflow and Connectivity Studio for details on creating export workflows.
Configuring the Export Connector
- In the Design pane, double-click the export object (the first workflow object after the Start object). The Configure Data Source window displays:
-
From the Configure Plug-in tab, set these properties as required:
Associated Connected System Select the connected system from the list. The export operation will be done from this connected system. Data Formats Select the type of data format to use: Profiles (default) or ChangeLog. DynamicConnectedSystem Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected. DynamicConnectedSystemOption Select how to control Dynamic System Support (DSS): - None - There will not be any Dynamic System Support.
- Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.
- GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
Filter Specify search criteria to determine the objects to be exported from the container specified in ExportDN. Use the Set Filter button that becomes active to create a filter. See "Set Filter" on page 34 for additional information. FoldSubRecords If set to TRUE, sub records are folded and returned as attributes.
Note: This property is available in Group data format only.
ResultSize The maximum number of results to return (default: Unlimited).
TenantId The unique ID of the tenant to perform the operation on. If this is not provided, then the value will default to the tenant of the current user. This parameter is only applicable to partner users.
Note: Hover the pointer over a property to view its description. -
Setting the filter is a means to narrow the scope and return specific results (see Set Filter Examples below).
Click the Set Filter button to set the search filter. The Set Filter window displays.- Select the type from the Filter by entry type drop-down list to filter the entries.
- Select the Attribute of the filter. This represents the attribute name for searching the Microsoft Office 365 directory.
- Select the Comparison operator value for this filter.
- Enter the required result Value.
- Using logical AND/OR, generate the complex filter to narrow the search result.
- Select the Edit Filter Manually check box to manually edit the filter in the Filter Syntax field to build complex filters.
- Click OK when complete to return to the Configure Data Source window.
Set Filter - Examples
- This filter will search single-valued or multi-valued attributes for an exact attribute value.
- This filter will search for everyone named Sam, Sammy, Samuel, etc.
- Selecting MsolUser from the Filter by entry type displays this Set Filter window.
Description | |
Search String | Enter the search string to return only users whose e-mail address or display name starts with this string. |
Which Users |
Which Users Select whether to return users that are enabled, disabled, or both, and then select the desired check boxes:
|
DomainName | Enter the domain name to filter results on. This must be a verified domain for the company. Only users with an e-mail address (primary or secondary) on this domain will be returned. |
TenantId | Enter the unique ID of the tenant to perform the search on. |
3. (Optional)Select the Attributes tab.
Modify schema attributes using these buttons.
Description | |
Add | Adds additional attributes to the list. The Add New Attribute dialog displays. |
Export | Exports the schema list to an XML file. |
Import | Imports the schema list from an XML file. |
Reset Schema | Resets the schema definition to the default schema prepackaged with the IdM Suite, plus any global variable added. |
4. (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
5. Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Configuring the Export Link
-
In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. The Configure Link window displays:
Description Source Attributes Select the attributes to export. Format Displays the Format Date window to specify a date/time format to be applied to the selected date type attribute, for example, whenChanged. During export, the attribute’s value is converted to the specified format. See the Format Date steps below for additional information.
Notes:- The Format button is only enabled for date attributes.
- The Refresh Schema button on the Configure Data Source window’s Attributes tab must be used to refresh the schema and enable the Format button for date attributes.
Advanced Settings Displays the Configure Attributes window for configuring advanced settings for attributes. See the Configure Attributes window on page 39 for additional information. - From the Attribute Selection tab, select attributes to export.
- (Optional) Click the Format button to specify a date/time format to be applied to the selected date type attribute. The Format Date window displays.
- Select the Include Time checkbox to add the timestamp with the date.
- Select the 24 Hour or 12 Hour option button and then select the required date/time format.
- Click OK to save the selected format. The Configure Link window displays.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Deploy the workflow by selecting Deploy -> New Deployment. See the Workflow and Connectivity Studio documentation for details of deployment options.
Manage and run the deployed workflow from the Admin UI -> Server tab. See the Identity Suite Administration documentation for details.
Configuring for Import
Perform these procedures to configure the connector for data import:
- Configuring the Import Connector
- Configuring the Import Link
From the Workflow and Connectivity Studio, select the 389 Directory Server UserAdd, UserModify, or UserDelete workflow listed under the projects folder.
If a workflow does not already exist, create an import workflow. See the Workflow and Connectivity Studio documentation for details on creating import workflows.
Configuring the Import Connector
- In the Design pane, double-click the import object (the last workflow object). The Configure Data Source window displays:
-
From the Configure Plug-in tab, set these properties as required:
Associated Connected System
Select the connected system from the list. The import operation will be done to this connected system.Data Formats
Select the type of data format to use: Profiles (default) or ChangeLog.DynamicConnectedSystem
Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected.DynamicConnectedSystemOption
Select how to control Dynamic System Support (DSS):- None - There will not be any Dynamic System Support.
- Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.
- GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
See the Dynamic System Support appendix in the Workflow and Connectivity Studio document for additional information.
ExecuteGIGAssociatedTask
Asynchronously
Property which controls execution mode for GIG associated tasks. If this property is true and the task connected system has GIG association, task is executed asynchronously. If this property is false, GIG associated tasks will execute asynchronously with a blocking call. This blocking call can result in timeout issues if the task takes more time than the SOAP call timeout. This property is ignored if there is no GIG association or task is executed from Studio.Id *
Enter the attribute that contains the value used to uniquely identify the user account user ID on the connected system.loginId *
Enter the attribute that contains the value used to uniquely identify the user account login ID on the connected system.Notes:
* accountDN, Id, and login id are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_DN, ACCOUNT_ID, and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
Hover the pointer over a property to view its description. (Optional) Select the Attributes tab. Only standard attributes display:
Modify schema attributes with the buttons.- (Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Configuring the Import Link
- In the Design pane, double-click the import link between the Data Mapper object and the import object (the last workflow object). The Configure Link window displays:
Source Attributes | Select the attributes to import. |
Check for attribute-level auditing. | If auditing is enabled and these attributes below are checked, Provisioning will log all events for auditing purposes. |
Selected Attributes | Displays default attributes and those attributes that have been selected from the Source Attributes. Note: The default attributes are those that are commonly used to create a new user. |
Advanced Settings | Displays the Configure Attributes window for configuring advanced settings for attributes. Under the Encrypted column, check the box of any attribute that needs to be encrypted. Under the Diff With Target column, check the box of any attribute to update using differencing (DiffWithTarget, AddDiffWithTarget, and RemoveDiffWithTarget). |
Audit Key | Select the attribute to associate with the Audit Key. |
From the Attribute Selection tab, select attributes to import.
(Optional) Select the Appearance tab to change how the link displays in the Design pane.
- Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Deploy the workflow by selecting Deploy -> New Deployment. See the Workflow and Connectivity Studio for details of deployment options.
Manage and run the deployed workflow from the Admin UI -> Server tab. See the Identity Suite Administration documentation for details.
Connector Details for Provisioning
Configuration import properties accountDN, Id, and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_DN, ACCOUNT_ID, and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
Configuration Import Properties
Identity Property | System Attribute |
---|---|
id | username |
login id | username |
Office 365 Connector Attributes
The items in the Export, Create, Modify, and Delete columns have these meanings:
- Y = Yes (the attribute is supported for this operation)
- N = No (attribute is not supported for this operation)
Name | MultiValued | Export | Create | Modify | Delete | Mandatory | Description |
---|---|---|---|---|---|---|---|
active | N | Y | Y | Y | N | N | Account status Values are TRUE or FALSE. |
admins | N | Y | N | N | N | N | |
alerted | N | Y | N | N | N | N | |
blocked | N | Y | Y | N | N | N | Whether or not the user is blocked (i.e., enabled/disabled). Values are TRUE or FALSE |
creationDate | N | Y | N | N | N | N | |
N | Y | Y | Y | N | N | Email of the user | |
invited | N | Y | N | N | N | N | |
emailPromo | N | Y | Y | Y | N | N | Enable/Disable email promo notifications. Values are TRUE or FALSE |
firstName | N | Y | Y | Y | N | N | First Name of the user. |
lastName | N | Y | Y | Y | N | N | Last Name of the user. |
licenses |
N | Y | N | N | N | N | |
modificationDate | N | Y | N | N | N | N | |
notes | N | Y | Y | Y | N | N | Additional notes to add to user. |
orgName | N | Y | N | N | N | N | |
orgUid | N | Y | Y | Y | N | Y | Internal org id of the Crashplan instance. |
Original_username | N | Y | N | Y | N | Y | Original Account Name for rename operations. |
password | N | Y | Y | Y | N | Y | Password of the account. |
passwordReset | N | Y | N | N | N | N | |
q | N | Y | N | N | N | N | |
quotaInBytes | N | Y | N | N | N | N | |
roleName | N | Y | N | N | N | N | |
status | N | Y | N | N | N | N | |
username | N | Y | Y | Y | N | Y | Username of the account. |
usernameIsAnEmail | N | Y | N | N | N | N | |
userUid | N | Y | N | N | N | N | Internal id of the user. |
Lookup Data
To find existing users and return specific attribute values for users, use the Data Mapper rule Lookup Data.
- Log in to the Workflow and Connectivity Studio and double-click the Data Mapper object on the Design pane. The Configure Data Mapper window displays.
- Select the Lookup Data rule under the Mapping Rule column, and then click the Source Value. The Configure Lookup window displays.
- Select the Office 365 system from the Select System drop-down list:
-
- In the Enter Lookup Prefix field, enter the prefix to be added to the Lookup fields.
- Select the Lookup Type from the drop-down list.
-
Click the FieldsPick button to select the attributes to be fetched after a successful lookup. The Lookup Configuration window displays:
Select the attribute(s) from the Selected Attributes list that requires a date and/or time format, and click the Format button. The Format Date window displays.
Select the Include Time check box to use a date and time format. Select the required date/time format for your target database (shown above), and then click OK.
- Click the Filter Build button, and then from the Set Filter window, generate the search filter, for example:
See Set Filter for a description of this window.
Click OK. The updated Configure Lookup window displays, for example:
Select the Exit as Mapper Task Failed on Lookup Failure check box to exit the task with Failed status on lookup failure. It will not process the succeeding entries and will ignore the already processed entries and will not return any data. This is selected by default.
Click OK.
Appendix
Friendly Name
The individual bullets are called Features, and the overall plans are called Licenses.A much larger list of the internal values and PowerShell names can be found at this link:
http://blog.c7solutions.com/2011/07/assign-specific-licences-in-office-365.html
These GUIDs are specific to your organization. These values are assigned through the UserRole attribute.
Licenses and Features
Syntax and Semantics of Licenses and Features
The Licenses attribute is a multi-valued attribute, each instance of which represents all the Features of a specific license SKU. A particular enterprise may be licensed for multiple SKUs. To select a specific set of features within a particular SKU, they can be listed on that license attribute specification. If there are no Features listed, then all Features are specified.
These are the possible syntax of the attribute:
<AccountName>:<SkuPartNumber>
<AccountName>:<SkuPartNumber>|<ServicePlan>
<AccountName>:<SkuPartNumber>|<ServicePlan>,<ServicePlan>
Examples:
exampleco:ENTERPRISEPACK (includes all Features)
exampleco:ENTERPRISEPACK|OFFICESUBSCRIPTION,SHAREPOINTWAC
Determining the Available Licenses and Features
Method 1
This method is the easiest, but has the drawback that there may be Licenses and Features that escape detection.
- In your Office 365 Web UI, set up a user that has all of the available Features (you will need to do this anyway).
- In Provisioning, set up a connected system, and set the LogLevel to Debug.
- Create a workflow that exports that user, in particular, the Licenses and LicensesAndServices attributes.
This is the output dataset:
<Licenses>exampleco:ENTERPRISEPACK</Licenses>
<LicensesAndServices>exampleco:ENTERPRISEPACK|OFFICESUBSCRIPTION,MCOSTANDARD,SHAREPOINTWAC,SHAREPOINTENTERPRISE,EXCHANGE_S_ENTERPRISE</LicensesAndServices>
- Now, it is necessary to go through the UI a step at a time, turning each flag off and on to determine which symbol it corresponds to.
Method 2
This method reveals any Features that may not be immediately obvious from the Web UI.
- In the following script, replace the admin id and password with those of the Provisioning account:
$adminid='mike@exampleco.onmicrosoft.com'
$adminPass = 'Passw0rd'
$admincred = New-Object System.Management.Automation.PsCredential $adminid,(ConvertTo-SecureString -string "$adminpass" -asPlainText -force)
Import-Module MSOnline
Connect-MsolService -Credential $admincred
$liveurl='https://ps.outlook.com/powershell/'
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "$liveurl" -Credential $admincred -AllowRedirection -Authentication Basic
Import-PSSession $Session
- Open a PowerShell session and paste the resulting script. This places you into a session with Office 365 Online.
- To get the list of all SKUs owned by the company, enter this:
Get-MsolAccountSku
AccountSkuId ActiveUnits WarningUnits ConsumedUnits
--------- --------- --------- ---------
exampleco:ENTERPRISEPACK 250 0 20In this case, there is only one SKU.
-
To find the list of Features for each SKU, issue this script:
$ServicePlans = Get-MsolAccountSku | Where {$_.SkuPartNumber -eq "[SkuPartNumber]"}
$ServicePlans.ServiceStatusExample:
$ServicePlans = Get-MsolAccountSku | Where {$_.SkuPartNumber -eq "ENTERPRISEPACK"}
$ServicePlans.ServiceStatusServicePlan ProvisioningStatus
----------- ------------------
OFFICESUBSCRIPTION Success
MCOSTANDARD Success
SHAREPOINTWAC Success
SHAREPOINTENTERPRISE Success
EXCHANGE_S_ENTERPRISE SuccessNote: If there had been a SKU that was unrecognized, either find the location in the Web UI of the configuration or determine what Features the setting might control.
-
To delete a license assigned to a user, issue this script:
Set-MsolUserLicense -UserPrincipalName mike@exampleco.onmicrosoft.com -RemoveLicenses exampleco:ENTERPRISEPACKIn order to remove the license of a user using the connector, the following data has to be sent in.
<root>
<entry changetype="modify" modifytype="delete" >
<EntryType>MsolUser</EntryType>
<UserPrincipalName>sspelberg@fischerdemo.onmicrosoft.com</UserPrincipalName>
<LicensesAndServices>exampleco:ENTERPRISEPACK</LicensesAndServices>
<UsageLocation>US</UsageLocation>
</entry>
</root>
Note: The entry has a changetype of 'modify' and a modifytype of 'delete'. LicenseAndServices attribute will have the SKU of the license that is to be removed.
Upgrading SKUs
Microsoft offers multiple SKUs, which have overlapping, sometimes conflicting features. In upgrading from one service to another it is often necessary to do so in a coordinated fashion (i.e., start one service and stop another simultaneously).
When the attribute RemoveLicenseConflicts is set to true, the current licenses and features are examined and compared to those requested. The existing licenses and features that are in conflict are removed.