The following sections provide information about the ways in which Office 365 driver supports standard driver features:
The Office 365 driver performs the following operations on the Publisher and Subscriber channels:
Publisher Channel: Add, Modify, Delete, Migrate, and Query operations on User and Group objects.
Subscriber Channel: Add, Modify, Delete, Migrate, and Query operations on User and Group objects, and Password Set/Reset operations only on User objects. Based on the access entitlements to Office 365 services, specific License Assignments are set on the users. A License Assignment is required by the users to access specific services in Office 365. The driver has the capability to selectively provision users to specific services in Office 365.
The Subscriber channel sets the password. Passwords are not synchronized on the Publisher channel. This means that passwords are synchronized from the Identity Vault to Office 365, but not from Office 365 to the Identity Vault.
The Office 365 driver synchronizes users and groups.
The driver supports creation and management of Distribution and Mail-enabled Security Groups. It supports multiple group attributes to enable creation and management of these groups. You must use the GroupType attribute in the Office 365 schema to synchronize the desired groups.
If the GroupType contains , it creates an Exchange Distribution List.
If the GroupType contains , it creates an Exchange Security Group.
If the GroupType contains , it creates an Office 365 Security Group.
The local variables are initialized at the driver scope in the Output Transformation Policy of the default configuration package. Use an appropriate local variable value for the GroupType attribute in the XDS document to synchronize on the Subscriber channel.
Memberships to the groups are granted via entitlements.
The Office 365 driver implements entitlements. You should enable entitlements for the driver only if you plan to use the User Application or Role-Based Entitlements with the driver. For more information about entitlements, see the Identity Manager 4.0.2 Entitlements Guide.
Entitlements make it easier to integrate Identity Manager with the Identity Manager User Application and Role-Based Services in the Identity Vault. In the User Application, an action such as provisioning an account in Office 365 is delayed until the proper approvals are made. In Role-Based Services, rights are assigned based on attributes of a user object and not by regular group membership. Both of these services offer a challenge to Identity Manager, because it is not obvious from the attributes of an object whether an approval is granted or the user matches a role. Entitlements standardize a method of recording this information on objects in the Identity Vault.
From the driver perspective, an entitlement grants or revokes the right to resources in Office 365. You can use entitlements to grant the right to an account in Office 365 or to control group membership. The driver is unaware of the User Application or Role-Based Entitlements. It depends on the User Application server or the Entitlements driver to grant or revoke the entitlement for a user based on its own rules.
NOTE:License entitlement is configured as a single-valued resource in User Application. Therefore to assign multiple Office 365 driver licenses, you must create resources for each value that needs be assigned in the User Application. The driver supports only one license assignment per operation.
You can also configure the driver without using entitlements. In such scenarios, Active Directory could be the authoritative source for both users and group membership. After the Active Directory driver synchronizes identities and group memberships from Active Directory into the Identity Vault, the Office 365 driver synchronizes those objects from the Identity Vault into Office 365. However, you can also configure the driver without Active Directory and entitlements.