Chat now with support
Chat with Support

Quest has tools and processes in place to identify, protect, detect, and remediate vulnerabilities and incidents when they occur, including external security partners. As part of our standard security operations, Quest does not use CrowdStrike in any of our operations. We are reviewing our third parties, and so far, there is minimal affect. It is Quest's policy not to provide further technical details unless they directly impact customer data.

Identity Manager 9.2 - Administration Guide for Connecting to SharePoint Online

Mapping a SharePoint Online environment in One Identity Manager Synchronizing a SharePoint Online environment
Setting up initial synchronization with a SharePoint Online tenant SharePoint Online synchronization features Customizing the synchronization configuration Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing SharePoint Online user accounts and identities Managing assignments of SharePoint Online groups and roles Mapping SharePoint Online objects in One Identity Manager
SharePoint Online tenants SharePoint Online user accounts SharePoint Online groups SharePoint Online permission levels SharePoint Online site collections SharePoint Online sites SharePoint Online roles Setting up SharePoint Online site collections and sites Reports about SharePoint Online objects
Handling of SharePoint Online objects in the Web Portal Basic data for managing a SharePoint Online environment Troubleshooting a SharePoint Online connection Configuration parameters for managing SharePoint Online Default project template for SharePoint Online Editing system objects

Setting up SharePoint Online site collections and sites

Site collections and sites are loaded into the One Identity Manager database through synchronization in the default installation of One Identity Manager. You can add new site collections and site in the One Identity Manager and publish them in the SharePoint Online target system. Predefined scripts and processes are provided for this purpose. You can use these as templates to make the site collections and sites requestable through the IT Shop.

NOTE: Customize these scripts and processes as required.

Table 29: Example scripts and processes
Script/Process Description
Script O3S_CreateO3SSite

Creates a new site collection and the associate root site in the One Identity Manager database. Creates a user account that is entered as site collection administrator or root site author.

NOTE: Enter a valid SharePoint Online time zone value for the UID_DialogTimeZone parameter. If the time zone is invalid, UTC is used. You will find a list of permitted time zones in the script commentary.

Script O3S_CreateO3SWeb

Creates a new site within a site collection in the One Identity Manager database.

Process O3S_O3SWeb_(De-)Provision

Creates a new site within a site collection. The process is triggered by the PROVISION event if the site in the One Identity Manager database is not labeled as the root site.

Deletes a site. The process is triggered by the DEPROVISION event if the site in the One Identity Manager database is not labeled as the root site.

Process O3S_O3SSite_(De-)Provision

Creates a new site collection in a web application and the associated root site. The process is triggered by the PROVISION event.

Deletes a site collection in a web application and the associated root site. The process is triggered by the DEPROVISION event.

The following step are required in additions:

  • Define a requestable product through which the site collection/site is requested from the IT Shop.

  • Define product properties that are mapped to the script parameter (for example, URL or site template). You must include these product properties when the site collection/site is requested.

  • Create a process for the PersonWantsOrg table that is started when the request is approved (event OrderGranted). This process call the matching script and sets the parameter values with the defined product properties you have defined. Then the site collection/site is added to the One Identity Manager database.

  • To add a new site collection to an existing synchronization project, extend the scope of the target system connection in the synchronization project if necessary.

    If the Legacy authentication type was selected for the SharePoint Online connection, the scope can only include site collections in which the applicable synchronization user is entered as the site collection administrator in the SharePoint Online administration interface.

    If the scope is not correctly set up, site collections cannot be loaded and synchronization is stopped.

For more information about the IT Shop, see the One Identity Manager IT Shop Administration Guide. For more information about defining processes, see the One Identity Manager Configuration Guide.

Related topics

Reports about SharePoint Online objects

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for SharePoint Online.

NOTE: Other sections may be available depending on the which modules are installed.

Table 30: Data quality target system report

Report

Published for

Description

Show overview

User account

This report shows an overview of the user account and the assigned permissions.

Show overview including origin

User account

This report shows an overview of the user account and origin of the assigned permissions.

Show overview including history

User account

This report shows an overview of the user accounts including its history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Overview of all assignments

group

Role

This report finds all roles containing identities who have the selected system entitlement.

Show overview

group

Role

This report shows an overview of the system entitlement and its assignments.

Show overview including origin

group

Role

This report shows an overview of the system entitlement and origin of the assigned user accounts.

Show overview including history

group

Role

This report shows an overview of the system entitlement and including its history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Show user accounts overview (incl. history)

Site collection

Site

This report returns all the user accounts with their permissions including a history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Show system entitlements overview (incl. history)

Site collection

Site

This report shows the system entitlements with the assigned user accounts including a history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Overview of all assignments

Site collection

Tenant

This report finds all roles containing identities with at least one user account in the selected target system.

Handling of SharePoint Online objects in the Web Portal

One Identity Manager enables its users to perform various tasks simply using a Web Portal.

  • Managing user accounts and identities

    An account definition can be requested by shop customers in the Web Portal if it is assigned to an IT Shop shelf. The request undergoes a defined approval process. The user account is not created until it has been agreed by an authorized identity, such as a manager.

  • Managing entitlement assignments

    When an entitlement is assigned to an IT Shop shelf, the entitlement can be requested by the customer in the Web Portal. The request undergoes a defined approval process. The entitlement is not assigned until it has been approved by an authorized identity.

    In the Web Portal, managers and administrators of organizations can assign entitlements to the departments, cost centers, or locations for which they are responsible. The entitlements are inherited by all persons who are members of these departments, cost centers, or locations.

    If the Business Roles Module is available, managers and administrators of business roles in the Web Portal can assign entitlements to the business roles for which they are responsible. The entitlements are inherited by all persons who are members of these business roles.

    If the System Roles Module is available, supervisors of system roles in the Web Portal can assign entitlements to the system roles. The entitlements are inherited by all persons to whom these system roles are assigned.

  • Attestation

    To enable this, attestation policies are configured in the Manager. The attestors use the Web Portal to approve attestation cases.

  • Governance administration

    The rules are checked regularly, and if changes are made to the objects in One Identity Manager. Compliance rules are defined in the Manager. Supervisors use the Web Portal to check rule violations and to grant exception approvals.

    If the Company Policies Module is available, company policies can be defined for the target system objects mapped in One Identity Manager and their risks evaluated. Company policies are defined in the Manager. Supervisors use the Web Portal to check policy violations and to grant exception approvals.

  • Risk assessment

    You can use the risk index of entitlements to evaluate the risk of entitlement assignments for the company.One Identity Manager provides default calculation functions for this. The calculation functions can be modified in the Web Portal.

  • Reports and statistics

    The Web Portal provides a range of reports and statistics about the identities, user accounts, and their entitlements and risks.

For more information about the named topics, refer to the following guides:

  • One Identity Manager Web Designer Web Portal User Guide

  • One Identity Manager Attestation Administration Guide

  • One Identity Manager Compliance Rules Administration Guide

  • One Identity Manager Company Policies Administration Guide

  • One Identity Manager Risk Assessment Administration Guide

Basic data for managing a SharePoint Online environment

To manage SharePoint Online in One Identity Manager, the following basic data is relevant.

  • Authentication modes

    Authentication mode used for logging in on the SharePoint Online server with this user account. For SharePoint Online, AzureAD is the only authentication mode.

    For more information, see SharePoint Online authentication modes.

  • Target system types

    Target system types are required for configuring target system comparisons. Tables with outstanding objects are maintained with the target system types and settings are configured for provisioning memberships and single objects synchronization. Target system types also map objects in the Unified Namespace.

    For more information, see Post-processing outstanding objects.

  • Account definitions

    One Identity Manager has account definitions for automatically allocating user accounts to identities. You can create account definitions for every target system. If an identity does not yet have a user account in a target system, a new user account is created. This is done by assigning account definitions to an identity.

    For more information, see Account definitions for SharePoint Online user accounts.

  • Server

    In order to handle target system specific processes in One Identity Manager, the synchronization server and its server functionality must be declared.

    For more information, see Job server for SharePoint Online-specific process handling.

  • Target system managers

    A default application role exists for the target system manager in One Identity Manager. Assign identities to this application role who have permission to edit all tenants in One Identity Manager.

    Define additional application roles if you want to limit the permissions for target system managers to individual tenants. The application roles must be added under the default application role.

    For more information, see Target system managers.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating