Chat now with support
Chat with Support

Identity Manager 9.3 - Administration Guide for Connecting to SharePoint Online

Mapping a SharePoint Online environment in One Identity Manager Synchronizing a SharePoint Online environment
Setting up initial synchronization with a SharePoint Online tenant SharePoint Online synchronization features Customizing the synchronization configuration Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing SharePoint Online user accounts and identities Managing assignments of SharePoint Online groups and roles Mapping SharePoint Online objects in One Identity Manager
SharePoint Online tenants SharePoint Online user accounts SharePoint Online groups SharePoint Online permission levels SharePoint Online site collections SharePoint Online sites SharePoint Online roles Setting up SharePoint Online site collections and sites Reports about SharePoint Online objects
Handling of SharePoint Online objects in the Web Portal Basic data for managing a SharePoint Online environment Troubleshooting a SharePoint Online connection Configuration parameters for managing SharePoint Online Default project template for SharePoint Online Editing system objects

Synchronizing a SharePoint Online environment

One Identity Manager supports synchronization with SharePoint Online. The One Identity Manager Service is responsible for synchronizing data between the One Identity Manager database and SharePoint Online.

This sections explains how to:

  • Set up synchronization to import initial data from SharePoint Online tenant to the One Identity Manager database.

  • Adjust a synchronization configuration.

  • Start and deactivate the synchronization.

  • Analyze synchronization results.

TIP: Before you set up synchronization with a SharePoint Online tenant, familiarize yourself with the Synchronization Editor. For more information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Setting up initial synchronization with a SharePoint Online tenant

The Synchronization Editor provides a project template that can be used to set up the synchronization of user accounts and permissions for the SharePoint Online environment. You use these project templates to create synchronization projects with which you import the data from a SharePoint Online tenant into your One Identity Manager database. In addition, processes are created that are required to provision changes to target system objects from the One Identity Manager database into the target system.

To load SharePoint Online objects into the One Identity Manager database for the first time

  1. Prepare a user account in the Microsoft Entra ID tenant with sufficient permissions for synchronization. The Microsoft Entra ID tenant must be known in the One Identity Manager system.

  2. If you want to use authentication through a Microsoft Entra ID application to log in to SharePoint Online, integrate the One Identity Manager as application in the Microsoft Entra ID tenant that is linked to the Microsoft 365 tenant.

    • Load the certificate file with the private key (*.PFX) in the certificate store of the synchronization server and on the administrative workstation that is going to run the Synchronization Editor.

    NOTE: It is recommended to authenticate using a Microsoft Entra ID application for synchronization.

  3. The One Identity Manager components for managing SharePoint Online systems are available if the TargetSystem | SharePointOnline configuration parameter is set.

    • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

      NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.

  4. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  5. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Users and permissions for synchronizing with SharePoint Online

The following users play a role in synchronizing One Identity Manager with SharePoint Online.

Table 2: Users for synchronization
User Permissions

One Identity Manager Service user account

The user account for the One Identity Manager Service requires user permissions to carry out operations at file level (adding and editing directories and files).

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires permissions for the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

In the default installation, One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)

  • %ProgramFiles%\One Identity (on 64-bit operating systems)

For authentication through a Microsoft Entra ID application, the user account requires the certificate with the private key in the computer's certificate store (*.PFX file). The certificate must be the same certificate used by the synchronization user.

A direct assignment of read permissions on the private key (*.PFX file) is also required for the user account.

User for accessing the One Identity Manager database

The Synchronization default system user is provided to run synchronization using an application server.

Integrating One Identity Manager as application in Microsoft Entra ID

To synchronize data between One Identity Manager and SharePoint Online, you must integrate One Identity Manager as an application in the Microsoft Entra ID tenant that is linked to the Microsoft 365 tenant. The SharePoint Online connector authenticates itself in Microsoft Entra ID tenants using the One Identity Manager application. For more information about integrating an enterprise application in Microsoft Entra ID, see the One Identity Manager Administration Guide for Connecting to Microsoft Entra ID.

NOTE: An application ID is created when you add One Identity Manager as an application to Microsoft Entra ID. You need the application ID for setting up the synchronization project.

For more information about registering an application, see https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate.

To configure One Identity Manager for SharePoint Online as an application in Microsoft Entra ID

  1. Create a self-signed X.509 certificate with the type Server authentication to use for authenticating the application against Microsoft Entra ID.

    For more information, see the SharePoint Online documentation from Microsoft.

  2. Register a new application as described in One Identity Manager Administration Guide for Connecting to Microsoft Entra ID.

    • Select the Accounts in this organizational directory only option.

  3. Copy the application ID.

  4. Load the certificate file (*.CER) and copy the certificate's thumbprint.

    You will need the thumbprint for creating the synchronization project.

  5. Add the following permissions to the application:

    • API permissions:

      • Microsoft APIs > SharePoint

    • Application entitlements:

      • Sites.FullControl.All

      • TermStore.ReadWrite.All

      • User.ReadWrite.All

  6. Under Manage > API permissions, in the Configured permissions section, grant administrator consent for these permissions. click Grant Admin consent and confirm the prompt with Yes.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating