Connect to Office 365

Connect to Office 365.
imgc10-in-progress
The following table outlines the tasks required to configure the Microsoft Office 365 connector and the person responsible for each task:
Roles
Tasks
Systems
Office 365 Server Administrator
  • Register a Domain with Office 365.
  • An administrator must perform the following tasks in Office 365, only when using Modern Authentication (Certificate-Based) in Exchange Online.
    1. Register an application in Azure Active Directory at https://portal.azure.com. Upon registering a new application, an Application ID is generated which will be required while creating an Office 365 endpoint in the Identity Manager User Console.
    2. Assign API permissions to the application to access Exchange Online.
    3. Generate a self-signed certificate and attach to the Azure Active Directory application.
    4. Assign a role to the application.
Microsoft Office 365
Connector Server Administrator
  • Ensure that CA IAM CS (Java Connector Server) is installed.
  • Install PowerShell on the machine where CA IAM CS is installed.
  • Install Microsoft Azure Active Directory Module for Windows PowerShell.
  • Office 365 connector supports Certificate-Based Modern Authentication in Exchange Online. If using Certificate-Based Modern Authentication to connect to the Exchange Online organization, install Microsoft Exchange Online V2 Module (EXO V2 Module) for Windows PowerShell.
  • Verify the PowerShell connection to the Office 365 endpoint.
On-Premise Computer hosting:
  • Windows PowerShell
  • Office 365 Connector
  • CA IAM Connector Server
Product Administrator
Connect to the Office 365 endpoint from Identity Manager User Console.
Identity Manager
Register a Domain with Office 365
Add your domain to Office 365 by following this link.
Register an Application with Office 365
An administrator must perform the following tasks in Office 365, only when using Modern Authentication (Certificate-Based) in Exchange Online.
  1. Register an application in Azure Active Directory at https://portal.azure.com. Upon registering a new application, an Application ID is generated which will be required while creating an Office 365 endpoint in the Identity Manager User Console.
  2. Assign API permissions to the application to access Exchange Online.
  3. Generate a self-signed certificate and attach to the Azure Active Directory application.
  4. Assign a role to the application.
For details on how to perform these tasks, see Microsoft Documentation for Exchange Online.
Ensure that CA IAM CS Is Installed
Ensure that CA IAM CS is installed and running. If not installed, follow this link to install CA IAM Connector Server.
Install PowerShell on CA IAM CS
The Office 365 connector uses Windows PowerShell to communicate with Office 365. Ensure that it is installed and configured on the on-premise computer running CA IAM CS.
Follow these steps:
  1. Install the latest version of Windows PowerShell.
    Post-installation, ensure that the PowerShell.exe is set in the Windows path. To check, open a Command Prompt and type PowerShell. You must get the PowerShell Command Prompt.
  2. To discover the execution policy that is being used, open Windows PowerShell and run the following command:
    Get-ExecutionPolicy
  3. To set the ExecutionPolicy to RemoteSigned, run the following command:
    Set-ExecutionPolicy RemoteSigned
    The execution policy is now set to RemoteSigned. This indicates that the downloaded scripts require a trusted publisher to sign before they can be run.
  4. Close Windows PowerShell.
  5. Open a command prompt and run the following command to start Windows Remote Management:
    net start winrm
  6. In the command prompt, run the following command to check whether PowerShell uses HTTP Basic authentication:
    winrm get winrm/config/client/auth
    If the value returned does not contain
    Basic=true
    , run the following command to allow PowerShell to use HTTP Basic Authentication:
    winrm set winrm/config/client/auth @[Basic="true"]
Install Microsoft Azure Active Directory (MSOnline) Module for Windows PowerShell
Install Microsoft Azure Active Directory (MSOnline) Module for Windows PowerShell to connect to your local PowerShell session and create your Microsoft Online Office 365 administration session.
Complete the following steps in the Windows PowerShell window:
  1. Check if the module is already installed. To do this, open Windows PowerShell and run the following command:
    Import-Module MSOnline
    A list of cmdlets appear.
  2. If MSOnline is not found, run the following command to install the module:
    Install-Module MSOnline
  3. Repeat Step 1 to check that the module has installed correctly.
Install Microsoft Exchange Online V2  (EXO V2) Module for Windows PowerShell
Install Microsoft Exchange Online V2 (EXO V2) module for Windows PowerShell. Once installed, administrators can connect and manage their Exchange Online environment in Office 365.
Complete the following steps in the Windows PowerShell window:
  1. Install or update the PowerShellGet module as described in Installing PowerShellGet.
  2. Close and re-open the window.
  3. Run the following command to install the module:
    Install-Module -Name ExchangeOnlineManagement
Verify the PowerShell Connection to the Office 365 Endpoint
Before you can acquire Office 365 endpoint from Identity Manager, verify you can use PowerShell to remotely manage your endpoint. You must have Global Administrator user privileges and credentials.
Open the PowerShell and run the following commands:
  • Microsoft Azure Active Directory (MSOnline) Module
    Import-Module MsOnline
    $UserCredential = Get-Credential
    Connect-MsolService -Credential $UserCredential
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $UserCredential -Authentication Basic -AllowRedirection -SessionOption (New-PSSessionOption -IdleTimeOut 60000)
    Import-PSSession $session
    get-rolegroup | format-list
  • Microsoft Exchange Online V2 (EXO V2) Module
    Connect-ExchangeOnline -CertificateFilePath "C:\Users\johndoe\Desktop\automation-cert.pfx" -CertificatePassword (ConvertTo-SecureString -String "<My Password>" -AsPlainText -Force) -AppID "36ee4c6c-0812-40a2-b820-b22ebd02bce3" -Organization "contosoelectronics.onmicrosoft.com"
If your commands run successfully, acquire the endpoint in Identity Manager.
Acquire Office 365 Endpoint in Identity Manager
This procedure is for Identity Manager administrator and does not apply to Identity Governance.
Acquire the Microsoft Office 365 endpoint from the Identity Manager User Console to administer it.
Follow these steps:
  1. Open the attribute list for the Office 365 endpoint type. This HTML page lists every endpoint attribute that the connector works with. You will use this information in the later steps of this procedure.
  2. Set up the connector in Identity Manager.
    1. Create correlation rules, using the information in the attribute list.
  3. Create Office 365 endpoint.
    1. In the Identity Manager User Console, navigate to
      Endpoints,
      Manage Endpoints,
      Create Endpoint.
    2. Select an endpoint of type Office 365.
    3. Configure the following parameters:
      • Domain:
        Specifies the Microsoft Office 365 domain name.
      • Administrator Email:
        Specifies the email ID of the Microsoft Office 365 administrator.
      • Administrator Password:
        Specifies the password of the Microsoft Office 365 administrator.
      • Hybrid Mode:
        When enabled, the Microsoft Office 365 Hybrid Mode enables synchronization between on-premise Microsoft Active Directory and Cloud Microsoft Office 365 Identity store through Microsoft Azure Active Directory Connect utility. For more information about Hybrid Mode, click here.
      • Business Class Email Enabled:
        Specifies the selection of Exchange-less mode while acquiring the Office 365 endpoint. By default the
        Business Class Email Enabled
        check box is selected. If the Office 365 endpoint does not include Business class email, calendar, and contacts service in the plan, then uncheck the
        Business Class Email Enabled
        check box. When you uncheck, the
        Mailbox Admin Roles,
        Mailbox User Role,
        and
        Mailbox Distribution Groups
        tabs of Account and Account Template screens which require Exchange session are disabled.
        From Identity Manager 14.1 release onwards, the
        Business Class Email Enabled
        option is selected by default for fresh installation. If you are upgrading a version prior to 14.1, ensure that you import the latest role definitions and manually select the
        Business Class Email Enabled
        checkbox in
        Endpoint
        tab
        .
      • The following configuration parameters are applicable only when using Certificate-Based modern authentication to connect to Exchange Online:
        • Use MFA:
          Select this option, if you want to authenticate user access to Exchange Online with a client certificate.
        • AppID:
          Enter the unique application (client) ID assigned by the Azure Active Directory on application registration.
        • Certificate Password:
          Enter the password to access the certificate that is available in the Connector Server.
        • Certificate File Path on the Connector Server:
          Enter the certificate path. The certificate should be in “.pfx” format. User access to Exchange Online is authenticated with this client certificate.
      • Specify the
        Default Account Template.
    4. Click
      Submit.
      The Office 365 endpoint has been acquired successfully.
  4. Create and execute Explore and Correlate definition. To retrieve all containers such as Accounts, Groups, License Options, Admin Roles, User Roles, select
    Full Sub-Tree
    option from the
    Explore Method
    drop down list for the root.
Manage Microsoft Office 365 Accounts
Click here to follow the instructions for managing Microsoft Office 365 accounts.