Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Connecting to Exchange Online

About this guide Managing Exchange Online environments Synchronizing an Exchange Online environment
Setting up Exchange Online synchronization Customizing the synchronization configuration Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Basic data for managing an Exchange Online environment Exchange Online organization configuration Exchange Online mailboxes Exchange Online mail users Exchange Online mail contacts Exchange Online mail-enabled distribution groups
Creating Exchange Online mail-enabled distribution groups Editing main data for Exchange Online mail-enabled distribution groups Main data for Exchange Online mail-enabled distribution groups Receive restrictions for Exchange Online mail-enabled distribution groups Customizing send permissions for Exchange Online mail-enabled distribution groups Specifying moderators for Exchange Online mail-enabled distribution groups Specifying Exchange Online mail-enabled distribution groups Assigning Exchange Online mail-enabled distribution groups to Exchange Online recipients Exchange Online mail-enabled distribution group inheritance based on categories Adding Exchange Online dynamic distribution groups to Exchange Online mail-enabled distribution groups Adding an Exchange Online dynamic distribution group to Exchange Online mail-enabled distribution groups Adding Exchange Online mail-enabled public folder to Exchange Online mail-enabled distribution groups Assigning extended properties to Exchange Online mail-enabled distribution groups Deleting Exchange Online mail-enabled distribution groups
Exchange Online Office 365 groups Exchange Online dynamic distribution groups Exchange Online mail-enabled public folders Reports about Exchange Online objects Configuration parameters for managing an Exchange Online environment Default project template for Exchange Online Editing Exchange Online system objects Exchange Online connector settings

Configuration parameters for managing Exchange Online environments

Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for various configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements.

Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. In the Designer, you can find an overview of all configuration parameters in the Base data > General > Configuration parameters category.

For more information, see Configuration parameters for managing an Exchange Online environment.

Synchronizing an Exchange Online environment

NOTE: Synchronization of the following cloud deployments with the Exchange Online connector is supported.

  • Microsoft 365 Global Service

  • Microsoft 365 GCC High

The One Identity Manager Service is responsible for synchronizing data between the One Identity Manager database and Exchange Online.

This sections explains how to:

  • Set up synchronization to import initial data from Exchange Online Organization to the One Identity Manager database.

  • Adjust a synchronization configuration

  • Start and deactivate the synchronization.

  • Analyze synchronization results.

TIP: Before you set up synchronization with an Exchange Online organization, familiarize yourself with the Synchronization Editor. For more information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Setting up Exchange Online synchronization

The Synchronization Editor provides a project template that can be used to set up Exchange Online synchronization. You use these project templates to create synchronization projects with which you import the data from an Exchange Online organization into your One Identity Manager database. In addition, processes are created that are required to provision changes to target system objects from the One Identity Manager database into the target system.

Prerequisites for synchronizing Exchange Online are:

  • The Azure Active Directory tenant is declared in One Identity Manager.

  • Synchronization of the Azure Active Directory system is carried out regularly.

For more information about synchronizing an Azure Active Directory tenant, see the One Identity Manager Administration Guide for Connecting to Azure Active Directory.

To load Exchange Online objects into the One Identity Manager database for the first time

  1. Prepare a user account in the Azure Active Directory tenant with sufficient permissions for synchronization.

  2. One Identity Manager parts for managing Exchange Online systems are available if the TargetSystem | AzureAD | ExchangeOnline configuration parameter is set.

    • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

      NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.

  3. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  4. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Users and permissions for synchronizing with Exchange Online

The following users play a role in synchronizing One Identity Manager with Exchange Online.

Table 2: Users for synchronization
User Permissions

Exchange Online access with user account

or

App-only authentication

Synchronization with Exchange Online supports authentication through a user account with sufficient permissions or app-only authentication using a self-signed certificate.

  • To authenticate with a specific user account, provision a user account with at least the following permissions.

    • Member of the Recipient Management Exchange Online role group

    • Member of the Records Management Exchange Online role group

    • Member of the View-Only Organization Management Exchange Online role group

    • Member of the Security Group Creation and Membership Exchange Online role group

      NOTE: Create a new role group in Exchange Online. Assign the role and the user account to this role group.

    • Member of the Group administrator Azure Active Directory administrator role

    NOTE: The user account used to access Exchange Online must not use multifactor authentication to allow automated logins in a user context.

    Use the Exchange Admin Center to assign Exchange Online role groups to user accounts. Use the Azure Active Directory Admin Center to assign the Azure Active Directory administrator role to the user account. For example, you can reach the Admin Center over https://admin.microsoft.com/. For more information on managing permissions in Exchange Online and in Azure Active Directory, see the Microsoft documentation.

  • To use app-only authentication with a self-signed certificate, register and configure an application for Exchange Online PowerShell in the Azure Active Directory tenant.

    NOTE: Adding and editing O3EUnifiedGroups is not possible by app-only authentication. To use these permissions, authentication with a user account is required.

    For more information on how to set up app-only authentication, see Set up app-only authentication.

  • For the Exchange Online connector, assign at least the Global administrator and the Exchange administrator Azure Active Directory administrator roles.

One Identity Manager Service user account

The user account for the One Identity Manager Service requires user permissions to carry out operations at file level (adding and editing directories and files).

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires permissions for the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

In the default installation, One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)

  • %ProgramFiles%\One Identity (on 64-bit operating systems)

User for accessing the One Identity Manager database

The Synchronization default system user is provided to run synchronization using an application server.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating