Automated connection to Microsoft Azure
Of course, UCS is only able to provide Microsoft user accounts in the background without administrator intervention after a secure connection to the Microsoft cloud, more precisely to the Azure Active Directory (AAD), has been configured in UCS. To facilitate this, we have built a wizard to guide you step-by-step through the entire process at the beginning of the connector installation.
Once the configuration is complete, the administrator can select users in the Univention Management Console (UMC) and create Office 365 accounts for them, which they can then access via single sign-on.
Only selected attributes of the UCS user accounts, i.e. first name, last name, telephone number, etc. are synchronized from the UCS accounts to the Microsoft cloud. Via the Univention Configuration Registry (UCR), you decide what these are. You also determine there if the values should be anonymized, statically set to a certain value or copied correctly.
Requirements for the installation
To use the Office 365 Connector, you need a Microsoft Office 365 Administrator account, a corresponding account in the AAD, and a domain verified by Microsoft. Microsoft provides the first two free of charge for testing purposes. To configure the SSO, however, you need your own Internet domain in which you can create TXT records.
If you do not yet have an Office 365 subscription, go to https://www.office.com/ and select “Try for free” at the bottom. It is not possible to connect to UCS with a private Microsoft account. As soon as you have the subscription respectively the test period, log into the Office 365 Admin Center with your Office 365 Administrator account and select “Azure AD” in the left navigation bar at the bottom. A new window will open and take you to the Azure Management Portal. You may need to complete additional registration forms here.
At the end you should now have your own Active Directory in Azure. Select it and navigate to “Domains”. You can add your own domain here and let it verify. To do this, you need to create a TXT record in the DNS for your domain which will take a few minutes.
If everything works successfully, the status of your domain will be displayed as “checked”. Now you can install the Microsoft Office 365 Connector in the App Center and start the wizard. You can choose between the installation on a DC Master or on a DC Backup.
Use of the connector
Once the configuration is complete, you can use the connector immediately. As soon as you activate Office 365 for a UCS user account, a separate Microsoft account is automatically created for this user and provided with a license.
You can view all information on the consumption and assignment of all licenses in the Office 365 Admin Center.
Your users receive the fastest access directly via their own UCS portal page. There they simply click on the Office 365 icon and land directly on the UCS single sign-on page. This saves them from having to enter their user name twice. As already mentioned, the user password is not transferred to Microsoft.
One way sync
The connector only works from UCS to Office. This means that users are only synchronized from UCS to the Microsoft directory and not vice versa.
Note: Changes you made to users in the Azure AD or Office Portal may be overwritten by the connector due to changes made to the same attributes in UCS.
Unfortunately, due to new Microsoft security policies, the connector cannot delete users or groups in the Azure AD. Therefore, if you disable the Office option in UCS, those users will only be disabled and renamed in Azure. All their licenses will be revoked so that they will be available to other users at no cost. Users and groups, whose names begin with ZZZ_deleted_, can be easily deleted in the Office 365 Admin Center.
Important configuration information
Microsoft requires to know in which country the users of the Office 365 service work. The connector uses the “country” specified in the user’s contact information or, if not set, the server’s settings. However, a 2-character abbreviation such as DE can be determined using the UCR variables office365/attributes/usageLocation. For legal reasons we recommend to set this variable.
For those UCS user accounts that have Office 365 enabled, corresponding accounts are created in the Microsoft directory and selected account attributes are synchronized to it. Using various UCR variables, you can configure what is to be synchronized.
The UCR variable office365/attributes/sync is used to configure which LDAP attributes (e.g. first name, last name, etc.) of a user account are synchronized. This is a comma-separated list of LDAP attributes. Remove the attributes from the list that you do not want to synchronize or empty the list completely to not synchronize any data other than the user name.
Changes to UCR variables are only implemented after the listener has been restarted:
service univention-directory-listener restart
With the UCR variable office365/attributes/anonymize comma-separated LDAP attributes can be specified, which are created at Microsoft but will be filled with random values. The UCR variables office365/attributes/static/.* allow you to fill attributes on the Microsoft side with a fixed, predefined value.
With the UCR variable office365/attributes/never you can specify comma-separated LDAP attributes that should not be synchronized, even if they appear in office365/attributes/sync or office365/attributes/anonymize.
The UCR variables office365/attributes/mapping/.* define a mapping of the UCS LDAP attributes to Azure attributes. Normally, you do not need to change these variables.You can enable the UCR variable office365/groups/sync to synchronize the groups of users enabled for Office 365.
If you experience any difficulties, the log file often can help you. Enabling the UCR variables office365/debug/werror will lift debug tasks to the error level and records them in /var/log/univention/listener.log.