Identity Manager 8.1 - Administration Guide for Connecting to SharePoint Online

Mapping a SharePoint Online environment in One Identity Manager Synchronizing a SharePoint Online environment Managing SharePoint Online user accounts and employees Managing the assignments of SharePoint Online groups and roles Mapping of SharePoint Online objects in One Identity Manager
SharePoint Online tenants SharePoint Online user accounts SharePoint Online groups SharePoint Online permission levels SharePoint Online site collections SharePoint Online sites SharePoint Online roles
Handling of SharePoint Online objects in Web Portal Basic data for managing a SharePoint Online environment Appendix: Configuration parameters for managing SharePoint Online Appendix: Default project template for SharePoint Online Appendix: Editing system objects About us

Synchronizing a SharePoint Online environment

One Identity Manager supports synchronization with SharePoint Online. One Identity Manager is responsible for synchronizing data between the SharePoint Online database and the One Identity Manager Service.

This sections explains:

  • how to set up synchronization to import initial data from a SharePoint Online to the One Identity Manager database,
  • how to adjust a synchronization configuration,
  • how to start and deactivate the synchronization,
  • how to evaluate the synchronization results.

TIP: Before you set up synchronization with a SharePoint Online, familiarize yourself with the Synchronization Editor. For detailed information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Setting up the initial synchronization

The Synchronization Editor provides a project template that can be used to set up the synchronization of user accounts and permissions for the SharePoint Online environment. You use these project templates to create synchronization projects with which you import the data from a SharePoint Online into your One Identity Manager database. In addition, the required processes are created that are used for the provisioning of changes to target system objects from the One Identity Manager database into the target system.

To load objects from a SharePoint Online environment into the One Identity Manager database for the first time

  1. Prepare a user account in the Azure Active Directory tenant with sufficient permissions for synchronization. The Azure Active Directory tenant must be known in the One Identity Manager system.

  2. The One Identity Manager components for managing SharePoint Online systems are available if the configuration parameter TargetSystem | SharePointOnline is set.

    • Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.

  3. Install and configure a synchronization server and declare the server as Job server in One Identity Manager.
  4. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Users and Permissions for Synchronizing with SharePoint Online

The following users are involved in synchronizing One Identity Manager with SharePoint Online.

Table 2: Users for synchronization
Users Permissions
User for accessing SharePoint Online

For full synchronization of SharePoint Online objects with the supplied One Identity Manager default configuration, you must provide a user account with the minimum required permissions. The following is required:

  • An administrative user account of the associated Azure Active Directory organization

    NOTE: This user account must be entered as the site collection administrator in all the site collections to be managed. You do this in SharePoint Online.

    For more detailed information about site collection administrators, see the Microsoft documentation.

  • Administrators for all site collections to be administrated

For more information, see How to prepare the synchronization user.

One Identity Manager Service user account

The user account for One Identity Manager Service requires rights to carry out operations at file level, for example, assigning user rights and creating and editing directories and files.

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user right

The user account requires access rights to the internal web service.

NOTE: If One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can issue access rights for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager installation directory in order to automatically update One Identity Manager Service.

In the default installation the One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)
  • %ProgramFiles%\One Identity (on 64-bit operating systems)
User for accessing the One Identity Manager database

The Synchronization default system user is provided for executing synchronization with an application server.

How to prepare the synchronization user

To provide a user with all required permissions for access to SharePoint Online, you must enter the user account for synchronization as administrator in all site collections to be synchronized. To enable this, an administrative user account of the corresponding Azure Active Directory organization must be determined.

During initial setup of the system connection for SharePoint Online synchronization with the Synchronization Editor, the synchronization user must be at least one of the following administrators:

  • One of the administrators of the site collections to be administrated in SharePoint Online
  • An Azure Active Directory organization administrator

When you initially set up the system connection for SharePoint Online synchronization using the Synchronization Editor, the synchronization user must be one of the administrators of the site collection to be managed in SharePoint Online or an Azure Active Directory organization administrator.

For information about how to determine the name of the Azure Active Directory organization and how to create a synchronization user using the Microsoft online portal, see the Azure Active Directory documentation from Microsoft.

Related Documents