The following sections provide information about the ways in which Office 365 driver supports standard driver features:
The Office 365 driver performs the following operations on the Publisher and Subscriber channels:
Publisher Channel: Add, Modify, Delete, Migrate, and Query operations on User and Group objects.
Subscriber Channel: Add, Modify, Delete, Migrate, and Query operations on User and Group objects, and Password Set/Reset operations only on User objects. Based on the access entitlements to Office 365 services, specific License Assignments are set on the users. A License Assignment is required by the users to access specific services in Office 365. The driver has the capability to selectively provision users to specific services in Office 365.
The Subscriber channel sets the password. Passwords are not synchronized on the Publisher channel. This means that passwords are synchronized from the Identity Vault to Office 365, but not from Office 365 to the Identity Vault.
The Office 365 driver synchronizes users and groups as MsolUser and MsolGroup. A MsolUser is a collection of exchange mailbox, mail user, and Azure attributes. A MsolGroup represent groups created on Azure Active Directory, Exchange Online Distribution Groups, and Mail-Enabled Security Groups.
You can deploy the Office 365 driver in an ADFS or non-ADFS environment. In a non-ADFS environment, the driver uses exchange online cmdlets, create-mailbox and create-mailuser, to create mailbox users and mail users.
For a federated environment (ADFS), perform the following actions:
Add MsolUserType to the Publisher filter and set it to Notify or Sync.
Create a MsolUser user and assign an Office 365 Exchange based license to the user.
The Publisher channel modify event changes the MsolUserType from User to UserMailbox.
Perform the required exchange operation on UserMailbox.
NOTE:The Publisher channel receives the modify event only after a couple of poll cycles depending on the time taken by the Office 365 portal to provision the mailbox.
Exchange Online is the hosted version of Microsoft's messaging and Exchange platform. With Office 365 driver, you can create and manage Exchange Online user mailboxes and mail users. The driver uses the MsolUserType attribute of the Office 365 schema to synchronize Exchange-based user attributes.
If the MsolUserType contains UserMailbox, the driver creates an Exchange Mailbox User.
If the MsolUserType contains MailUser, the driver creates an Exchange Mail User.
By default, the driver creates a MsolUser if the MSolUSerType attribute is not specified.
The driver also supports synchronizing of several exchange online based attributes for the user, such as MicrosoftOnlineServicesID, EmailAddresses, Manager, and Custom attributes.
By default, the AlternateEmailAddresses attribute of the Office 365 driver is mapped with the Internet EMail Address attribute in the Identity Vault. After configuring the driver, you can update this default Office 365 attribute to EmailAddresses in the schema mapping. The filter options for the EmailAddresses attribute on both the Publisher and Subscriber channels are set to Synchronize by default. When you define the EmailAddresses attribute, you can control the protocol of the email address by prefixing the protocol name with the email address. Otherwise, the drives uses the default smtp protocol.
For example, smtp:thomas.wagnor@example.com creates a secondary email address. The same email address with SMTP creates a primary email address as SMTP:thomas.wagnor@example.com. Another example of an email address using SIP protocol is SIP:thomas.wagnor@example.com.
IMPORTANT:
If the EmailAddresses attribute filter options are set to Ignore, Notify, or Reset, the driver overwrites the primary SMTP address in the Identity Vault during a merge operation.
The driver synchronizes the email address along with the prefixes on the Publisher channel. To synchronize the email text only without prefix, write specific policies that suits your deployment scenario.
The attributes are case-sensitive. Ensure that you add them during the XDS Add event.
To create and manage Distribution and Mail-enabled Security Groups, the driver uses multiple exchange-based group attributes. You must use the GroupType attribute in the Office 365 schema to synchronize the desired groups.
If the GroupType contains DistributionList, the driver creates an Exchange Distribution List.
If the GroupType contains MailEnabledSecurity, the driver creates an Exchange Security Group.
If the GroupType contains Security, the driver creates an Office 365 Security Group.
The local variables are initialized at the driver scope in the Output Transformation Policy of the default configuration package. To synchronize on the Subscriber channel, use an appropriate local variable value for the GroupType attribute in the XDS document.
Identity Manager grants memberships to the groups via entitlements.
NOTE:The attributes are case sensitive. Ensure that you add them during the XDS Add event.
In a hybrid mode, Office 365 provides seamless integration between an On-Premises Exchange Server organization and Exchange Online in Microsoft Office 365. The Office 365 driver now supports hybrid deployment by allowing Publisher synchronization of Exchange Online attributes to an On-Premise Active Directory. The driver reads the Exchange Online attributes and publishes them to the Identity Vault. You can then synchronize them with On-Premise Active Directory by using the NetIQ Identity Manager Active Directory driver. Refer to Table B-3 to understand the synced attributes used in an Exchange hybrid deployment scenario.
Below is a sample query to retrieve all the attributes required for exchange hybrid mode synchronization using the PowerShell cmdlet:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="MSolUser" event-id="0" scope="subtree">
<search-class class-name="Powershell"/>
<search-attr attr-name="psexecute">
<value>get-mailbox -Identity MyUserName</value>
</search-attr>
<read-attr attr-name="LegacyExchangeDN"/>
<read-attr attr-name="ArchiveStatus"/>
<read-attr attr-name="LitigationHoldEnabled"/>
<read-attr attr-name="UMEnabled"/>
</query>
</input>
</nds>
Below is a sample query to retrieve all the attributes required for exchange hybrid mode synchronization:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="MSolUser" event-id="0" scope="entry">
<association>6ddfed09-441c-4a7a-ba04-62dffca8a5a3</association>
<search-class class-name="MSolUser"/>
<read-attr attr-name="LegacyExchangeDN"/>
<read-attr attr-name="ArchiveStatus"/>
<read-attr attr-name="LitigationHoldEnabled"/>
<read-attr attr-name="UMEnabled"/>
</query>
</input>
</nds>
The Office 365 driver generates cmdlets parameters based on the filter configuration. Although an attribute is not present in the driver schema, you can add it as part of XDS operation for the driver to execute it.
The Office 365 driver implements entitlements. You should enable entitlements for the driver only if you plan to use the User Application or Role-Based Entitlements with the driver. For more information about entitlements, see the NetIQ Identity Manager Entitlements Guide.
Entitlements make it easier to integrate Identity Manager with the Identity Manager User Application and Role-Based Services in the Identity Vault. In the User Application, an action such as provisioning an account in Office 365 is delayed until the proper approvals are made. In Role-Based Services, rights are assigned based on attributes of a user object and not by regular group membership. Both of these services offer a challenge to Identity Manager, because it is not obvious from the attributes of an object whether an approval is granted or the user matches a role. Entitlements standardize a method of recording this information on objects in the Identity Vault.
From the driver perspective, an entitlement grants or revokes the right to resources in Office 365. You can use entitlements to grant the right to an account in Office 365 or to control group membership. The driver is unaware of the User Application or Role-Based Entitlements. It depends on the User Application server or the Entitlements driver to grant or revoke the entitlement for a user based on its own rules.
You can also configure the driver without using entitlements. In such scenarios, Active Directory could be the authoritative source for both users and group membership. After the Active Directory driver synchronizes identities and group memberships from Active Directory into the Identity Vault, the Office 365 driver synchronizes those objects from the Identity Vault into Office 365. However, you can also configure the driver without Active Directory and entitlements.