Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Connecting to Exchange Online

About this guide Managing Exchange Online environments Synchronizing an Exchange Online environment
Setting up Exchange Online synchronization Customizing the synchronization configuration Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Basic data for managing an Exchange Online environment Exchange Online organization configuration Exchange Online mailboxes Exchange Online mail users Exchange Online mail contacts Exchange Online mail-enabled distribution groups
Creating Exchange Online mail-enabled distribution groups Editing main data for Exchange Online mail-enabled distribution groups Main data for Exchange Online mail-enabled distribution groups Receive restrictions for Exchange Online mail-enabled distribution groups Customizing send permissions for Exchange Online mail-enabled distribution groups Specifying moderators for Exchange Online mail-enabled distribution groups Specifying Exchange Online mail-enabled distribution groups Assigning Exchange Online mail-enabled distribution groups to Exchange Online recipients Exchange Online mail-enabled distribution group inheritance based on categories Adding Exchange Online dynamic distribution groups to Exchange Online mail-enabled distribution groups Adding an Exchange Online dynamic distribution group to Exchange Online mail-enabled distribution groups Adding Exchange Online mail-enabled public folder to Exchange Online mail-enabled distribution groups Assigning extended properties to Exchange Online mail-enabled distribution groups Deleting Exchange Online mail-enabled distribution groups
Exchange Online Office 365 groups Exchange Online dynamic distribution groups Exchange Online mail-enabled public folders Reports about Exchange Online objects Configuration parameters for managing an Exchange Online environment Default project template for Exchange Online Editing Exchange Online system objects Exchange Online connector settings

Advanced settings for the Exchange Online connector

You can specify whether want to set advanced options in the Synchronization Editor project wizard on the Connect Exchange Online page. These settings allow you to change the following options for communicating with Exchange Online:

  • The number of concurrent connections per connection parameter set

  • The definition of Windows PowerShell commands

Number of concurrent connections per connection parameter set

IMPORTANT: You should only make changes to this option with the help of support desk staff. Changes to this setting will have wide ranging effects on synchronization and must be made carefully.

Use this option to set the number of concurrent connections for each connection parameter set or for each user account for synchronization. The setting specifies how many concurrent connections will be created for each user account. The default value is 2. Exchange Online currently allows 3 connections per user account on the server side.

When the Exchange Online connector creates the connection, it creates one Windows PowerShell session per connection parameter set regardless of the number of queries that follow. Further connections are created on demand, for example, when loading multiple objects during the synchronization.

The maximum number of sessions established to Exchange Online can be calculated with the following formula:

Maximum number of Windows PowerShell sessions = Number of parameter sets * Value of concurrent connections per connection parameter set

The minimum number of sessions established to Exchange Online is the same as the number of connection parameter sets.

Figure 2: Determining sessions

To change the number of concurrent connections

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > Target system category.

  3. Click Edit connection.

    This starts the system connection wizard.

  4. On the system connection wizard's start page, enable Show advanced options.

  5. On the Advanced settings page, in the concurrent connections per connection parameter set input field, enter a value between 1 and 3.

  6. Follow the system connection wizard further instructions.

  7. Save the changes.
Customizing the connection definition

CAUTION: You should only make changes to the connector definition with the help of support desk staff. Changes to this setting will have wide ranging effects on synchronization and must be made carefully.

IMPORTANT: The connector definition should only be customized to temporarily work around problems if needed.

IMPORTANT: A customized connection definition is not overwritten when a new version of the connector or an update to the connector definition is released. No patches are applied.

If you customize the connector definition, you must manually apply your changes to any new versions of the connector or updated connector definitions, as required.

You can use this setting to adjust the definition used by the connector in order to convert inputs and outputs between the Exchange Online Cmdlets and the schema of the Synchronization Engine.

To customize the connector definition

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > Target system category.

  3. Click Edit connection.

    This starts the system connection wizard.

  4. Enable Show advanced options on the system connection wizard's start page.

  5. Customize the connector definition as required on the Advanced options page.

    1. Select Customize connector definition.

    2. Edit the definition according to the instructions given by the support desk staff. You take the following action:

      • Choose to load the definition from a file.

      • Use to test the definition for errors.

      • Choose to display the differences to the standard version.

  6. Follow the system connection wizard further instructions.

  7. Save the changes.

Updating schemas

All the schema data (schema types and schema properties) of the target system schema and the One Identity Manager schema are available when you are editing a synchronization project. Only a part of this data is really needed for configuring synchronization. If a synchronization project is finished, the schema is compressed to remove unnecessary data from the synchronization project. This can speed up the loading of the synchronization project. Deleted schema data can be added to the synchronization configuration again at a later point.

If the target system schema or the One Identity Manager schema has changed, these changes must also be added to the synchronization configuration. Then the changes can be added to the schema property mapping.

To include schema data that have been deleted through compression and schema modifications in the synchronization project, update each schema in the synchronization project. This may be necessary if:

  • A schema was changed by:

    • Changes to a target system schema

    • Customizations to the One Identity Manager schema

    • A One Identity Manager update migration

  • A schema in the synchronization project was shrunk by:

    • Enabling the synchronization project

    • Saving the synchronization project for the first time

    • Compressing a schema

To update a system connection schema

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > Target system category.

    - OR -

    Select the Configuration > One Identity Manager connection category.

  3. Select the General view and click Update schema.

  4. Confirm the security prompt with Yes.

    This reloads the schema data.

To edit a mapping

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Mappings category.

  3. Select a mapping in the navigation view.

    Opens the Mapping Editor. For more information about mappings, see the One Identity Manager Target System Synchronization Reference Guide.

NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.

Speeding up Exchange Online synchronization with revision filtering

When you start synchronization, all synchronization objects are loaded. Some of these objects have not be modified since the last synchronization and, therefore, must not be processed. Synchronization is accelerated by only loading those object pairs that have changed since the last synchronization. One Identity Manager uses revision filtering to accelerate synchronization.

Exchange Online supports revision filtering for the schema types Mailbox, MailUser, MailContact, MailPublicFolder, DistributionGroup, DynamicDistributionGroup, and UnifiedGroup.

You can configure the change time stamp for revision filtering using the following connection parameters in the synchronization project.

  • Use local server time for the revision: If the value is true, the local server time of the server is used for revision filtering. (default) This makes it unnecessary to load target system object for determining the revision. If the value is false, the change time stamp of the underlying Azure Active Directory objects are used for revision filtering.

    Variable: CP_UseLocalServerTimeAsRevision

  • Max. time difference (local/remote) in minutes: Defines the maximum time difference in minutes between the synchronization server and the Exchange Online server. The default value is 60 minutes. If the time difference is more than 60 minutes, alter the value.

    Variable: CP_LocalServerRevisionMaxDifferenceInMinutes

The time resulting from the local server time and the maximum time difference is saved as the revision number in the One Identity Manager database (DPRRevisionStore table, Value column). If the local server time is used, the revision number is calculated from the time at which the object was changed.

This value is used as a comparison for revision filtering when the same workflow is synchronized the next time. The next time synchronization is run, only those objects that have been changed since this date are loaded. This avoids unnecessary updating of objects that have not changed since the last synchronization.

The revision is found at start of synchronization. Objects modified by synchronization are loaded and checked by the next synchronization. This means that the second synchronization after initial synchronization is not significantly faster.

Revision filtering can be applied to workflows and start up configuration.

To permit revision filtering on a workflow

  • In the Synchronization Editor, open the synchronization project.

  • Edit the workflow properties. Select the Use revision filter item from Revision filtering menu.

To permit revision filtering for a start up configuration

  • In the Synchronization Editor, open the synchronization project.

  • Edit the start up configuration properties. Select the Use revision filter item from the Revision filtering menu.

For more information about revision filtering, adjusting connections parameters and editing variables, see the One Identity Manager Target System Synchronization Reference Guide.

Related topics

Configuring the provisioning of memberships

Memberships, such as user accounts in groups, are saved in assignment tables in the One Identity Manager database. During provisioning of modified memberships, changes made in the target system may be overwritten. This behavior can occur under the following conditions:

  • Memberships are saved as an object property in list form in the target system.

    Example: List of mailboxes in the AcceptMessagesOnlyFrom property of an Exchange Online mailbox (Mailbox)

  • Memberships can be modified in either of the connected systems.

  • A provisioning workflow and provisioning processes are set up.

If one membership in One Identity Manager changes, by default, the complete list of members is transferred to the target system. Therefore, memberships that were previously added to the target system are removed in the process and previously deleted memberships are added again.

To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. The corresponding behavior is configured separately for each assignment table.

To allow separate provisioning of memberships

  1. In the Manager, select the Azure Active Directory > Basic configuration data > Target system types category.

  2. In the result list, select the Exchange Online target system type.

  3. Select the Configure tables for publishing task.

  4. Select the assignment tables that you want to set up for single provisioning. Multi-select is possible.

  5. Click Merge mode.

    NOTE:

    • This option can only be enabled for assignment tables that have a base table with a XDateSubItem column.

    • Assignment tables that are grouped together in a virtual schema property in the mapping must be marked identically.

  6. Save the changes.

For each assignment table labeled like this, the changes made in One Identity Manager are saved in a separate table. Therefore, only newly added and deleted assignments are processed. During modification provisioning, the members list in the target system is compared to the entries in this table. This means that only modified memberships are provisioned and not the entire members list.

NOTE: The complete members list is updated by synchronization. During this process, objects with changes but incomplete provisioning are not handled. These objects are logged in the synchronization log.

You can restrict single provisioning of memberships with a condition. Once merge mode has been disabled for a table, the condition is deleted. Tables that have had the condition deleted or edited are marked with the following icon: . You can restore the original condition at any time.

To restore the original condition

  1. Select the auxiliary table for which you want to restore the condition.

  2. Right-click on the selected row and select the Restore original values context menu item.

  3. Save the changes.

NOTE: To create the reference to the added or deleted assignments in the condition, use the i table alias.

Example of a condition on the O3EUnifiedGroupAcceptRcpt assignment table:

exists (select top 1 1 from O3EUnifiedGroup g
where g.UID_O3EUnifiedGroup = i.UID_O3EUnifiedGroup
and <limiting condition>)

For more information about provisioning memberships, see the One Identity Manager Target System Synchronization Reference Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating