Chat now with support
Chat with Support

Identity Manager 9.1 - Administration Guide for Connecting to Microsoft Teams

About this guide Managing Microsoft Teams environments Synchronizing a Microsoft Teams environment Mapping Microsoft Teams objects in One Identity Manager Basic data for managing a Microsoft Teams environment Configuration parameters for managing a Microsoft Teams environment Default project template for Microsoft Teams Editing Microsoft Teams system objects Known issues about connecting Microsoft Teams

Synchronizing a Microsoft Teams environment

The One Identity Manager Service is responsible for synchronizing data between the One Identity Manager database and Microsoft Teams.

This sections explains how to:

  • Set up synchronization to import initial data from Microsoft Teams domains into the One Identity Manager database.

  • Adjust a synchronization configuration

  • Start and deactivate the synchronization.

  • Evaluate the synchronization results.

TIP: Before you set up synchronization with Microsoft Teams, familiarize yourself with the Synchronization Editor. For more information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Setting up the initial synchronization with Microsoft Teams

The Synchronization Editor provides a project template that can be used to set up the synchronization of Microsoft Teams teams and channels. You use these project templates to create synchronization projects with which you import the data from Microsoft Teams into your One Identity Manager database. In addition, the required processes are created that are used for the provisioning of changes to target system objects from the One Identity Manager database into the target system.

Prerequisites for synchronizing Microsoft Teams are:

  • The Azure Active Directory tenant is declared in One Identity Manager.

  • Synchronization of the Azure Active Directory system is carried out regularly.

  • Synchronization of the Exchange Online system is carried out regularly.

For more information about synchronizing an Azure Active Directory tenant, see the One Identity Manager Administration Guide for Connecting to Azure Active Directory. For more information about synchronizing an Exchange Online organization, see the One Identity Manager Administration Guide for Connecting to Exchange Online.

To load Microsoft Teams objects into the One Identity Manager database for the first time

  1. Extend the registered One Identity Manager application in the Azure Active Directory tenant by additional permissions.

  2. One Identity Manager components for managing Microsoft Teams are available if the TargetSystem | AzureAD | ExchangeOnline configuration parameter is set.

    • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

      NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

  3. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  4. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Extending permissions for the One Identity Manager application in the Azure Active Directory tenant

You can extend the permissions for the One Identity Manager application in the Microsoft Azure Portal (https://portal.azure.com/) or in the Azure Active Directory Admin Center (https://admin.microsoft.com/).

You have already registered a One Identity Manager application in the Azure Active Directory tenant in order to synchronize between One Identity Manager and Azure Active Directory. To be able to synchronize with Microsoft Teams, you must extend the permissions to include this application.

  • If you use authentication in a directory user context (delegated permissions), assign the ChannelMember.Read.All delegated permissions (Read the members of channels) as well.

  • If you use authentication in an application context (application permissions), assign the ChannelMember.Read.All (Read the members of channels) application permissions as well.

For more information on how to register an enterprise application for One Identity Manager in the Azure Active Directory tenant and assign permissions, see the One Identity Manager Administration Guide for Connecting to Azure Active Directory.

Related topics

Users and permissions for synchronizing with Microsoft Teams

The following users are involved in synchronizing One Identity Manager with an Azure Active Directory tenant.

Table 2: Users for synchronization
Users Permissions

User for accessing Azure Active Directory

or

The secret's value

Depending on how the One Identity Manager application is registered in the Azure Active Directory tenant, either a user account with sufficient permissions or the secret is required.

  • If you use authentication in the context of a directory user (delegated permissions), you require a user account that is a member in the Global administrator Azure Active Directory administration role when you set up the synchronization project. Use the Azure Active Directory Admin Center to assign the Azure Active Directory administrator role to the user account. For more information on managing permissions in Azure Active Directory, see the Microsoft documentation.

    NOTE: The user account used to access Azure Active Directory must not use multifactor authentication to allow automated logins in a user context.

    In addition, the user account must have a license for Teams.

  • If you use authentication in the context of an application (application entitlements), you need the value of the secret when you set up the synchronization project. The secret is generated when the One Identity Manager application is registered with the Azure Active Directory tenant.

    NOTE: The key is only valid for a limited period and must be renewed when it expires.

One Identity Manager Service user account

The user account for the One Identity Manager Service requires user permissions to carry out operations at file level (adding and editing directories and files).

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires permissions for the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

In the default installation, One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)

  • %ProgramFiles%\One Identity (on 64-bit operating systems)

User for accessing the One Identity Manager database

The Synchronization default system user is provided to run synchronization using an application server.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating