Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Provisioning Policies allow you to automate the provisioning, moving, disabling, and de-provisioning of resources
tofor users based on
certain qualifying criteria, such as belonging to a specific group, Management Role, Business Role and Location, or Query-Based Collection. Once a policy is created and enabled, EmpowerID continuously evaluates the policy to determine who should and should not have the resource specified by the policy.their roles, memberships and locations within your organization.
This topic demonstrates the following:
How to create a provisioning policy that provisions Office 365 user accounts
How to assign the provisioning policy to an EmpowerID actor type
Info |
---|
Prerequisites
|
This topic demonstrates how to create a RET policy that automates the provisioning and de-provisioning of Office 365 accounts and is divided into the following activities:
In this topic we assign the provisioning policy to the Self-Service User Limited Access Management Role. In this way, anyone who is a member of the Management Role will receive an Office 365 account.
Tip |
---|
Provisioning policies can be targeted against any number or combination of Management Roles, groups, Business Roles and Locations, Query-Based collections, as well as individual people |
. |
How to create a provisioning policy
that provisionsfor Office 365
user accountsUser Accounts
- In
n the
navigation sidebar, expand Admin, then Policies, and clicknavbar, expand Identity Lifecycle and click Provisioning Policies (
RETSRETs).
- From
On the
ProvisioningPolicies
managementpage, click
the Actions tab and then click the Create Provisioning Policy tile.
Image Removed
In the Choose Type section of the Policy Details form that appearsthe Add button at the top of the grid.
Image Added Under Choose Type, select Office 365 Account from
thethe Object Type To Provision drop-down.
Image RemovedImage AddedIn the General section of the form
, dofill in the following fields:
- Type a name, display name and description
Name — Enter a name for the policy
in the Name, Display Name and Description fields, respectively. - Select Exchange Mailbox from the Resource Type drop-down.
- Leave the first Depends on Resource Type drop-down empty.
- Select your Office 365 account store from the Resource System drop-down.
- Select your Office 365 account store from the Depends on Resource System drop-down.
- Specify the email suffix to be given to anyone receiving the resource entitlement by typing that value in the Email Suffix field. This suffix must be the suffix for the Office 365 domain you federated with EmpowerID.
Once you have completed the above, the General section of the form should look similar to the image below.
Image Removed.
Description — Enter a description for the policy.
Tenant — Enter the mailbox load balancing group.
Office 365 Subscription — Select the subscription and then select the licenses from that subscription to be granted.
Email suffix — Select the appropriate email suffix.
- Type a name, display name and description
In the Throttling Settings section of the form, specify the provisioning and deprovisioning thresholds for the policy. These settings are as follows:
- Approve
All Provisions
-Require Approval — If this option is selected, the provisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
- Approve
All Deprovisions
-Require Approval — If this option is selected, the deprovisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
Require Approval if Provision Batch Larger Than Threshold
-— This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the provisions. If the threshold is reached, EmpowerID will not provision any of the Office 365 user accounts until approval is granted.
Require Approval if Deprovision Batch Larger Than Threshold
-— This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the deprovisions. If the threshold is reached, EmpowerID will not deprovision any of the Office 365 user accounts until approval is granted.
- Approve
In
our example, we have selected Approve All Provisions and Approve All Deprovisions, meaning that In thethe
provisioning and deprovisioning of all Office 365 accounts must be approved before those folders will be processed by RET Inbox.
Image RemovedAdvanced section of the form, do the following:
Select
Do Nothinga desired option from the On Claim Action drop-down. You have the following options:
Select DeprovisionDo Nothing — No action occurs. This tells EmpowerID to simply mark any previous resources assigned to the user that match this policy as RET-managed resources. For example, if the user already has an Office 365 user account and is placed in a Management Role targeted by the RET policy, EmpowerID marks that user's Office 365 account as RET managed.
- Select Do Nothing from the On Transform Action drop-down.
This tells EmpowerID to simply mark this resource with the new RET policy number. Publish Workflow Event — Executes custom workflow code.
Select a desired option from the On Revoke Action drop-down.
This tells EmpowerID to delete the Office 365 accountYou have the following options:
Do Nothing — No action occurs.
Deprovision — The Office 365 user account is deleted if the person no longer meets the criteria to receive the resource from the RET
- Leave the Custom Workflow to Run On Claim, Custom Workflow to Run On Transform, and Custom Workflow to Run On Revoke fields empty. Leave the Creation Location Path Resolver Assembly and Creation Location Path Resolver Type fields empty.
The Advanced section of the form should now look like the following image:
Image Removed- Back in the main form, click Save.
.
Disable — The Office 365 user account is disabled if the person no longer meets the criteria to receive the resource from the RET.
Publish Workflow Event — Executes custom workflow code.
Click Save to create the policy.
After EmpowerID creates the policy, you should be directed to the completed Policy Details page for the policy.
Image Added
Next, assign the policy you just created to one or more targets as demonstrated below.
ToHow to assign the
Office 365 RET policy to a targetScroll to the Policy Assigned To section of the Policy Details form and click the Add (+) button underneath the specific target type to which you want to assign the RET.In our example, we are assigning the policy to the Contractor in All Business Locations Business Role and Location so we are clicking the Add (+) button in the Business Role and Locations pane of the section. In this way, each Person who has the Contractor Business Role in any location will receive an Office 365 account.
Image Removed
This opens the Add Entry pane, which is where you select the specific actor you want to assign the policy to. Because we are assigning the policy to a Business Role and Location, the Add Entry pane is contextualized for that actor type.
Image Removed
Image Removed
Click the Location tab and then search for and select the Location. In our example, we want the policy to be applied to all contractors regardless of their location, so we have selected All Business Locations.
Image Removed
provisioning policy
On the Policy Details page, click the Find Policies breadcrumb.
Image AddedSearch for the policy you just created and then click the Display Name link for it.
Image AddedThis directs you to the View page for the policy. This page allows you to manage the policy as needed.
Image AddedOn the View page, click the Assignees accordion to expand it. This accordion allows you to assign the policy to any or the following EmpowerID actor types:
Business Roles and Locations — All people in the selected Business Role and Location combinations receive the resource granted by the policy.
Management Roles — All people in the selected Management Roles receive the resource granted by the policy.
Management Role Definitions — All Management Roles that are children of the selected Management Role Definition receive the resource granted by the policy.
Query-Based Collections (SetGroup) — All people in the selected collection receive the resource granted by the policy.
Groups — All people in the selected groups receive the resource granted by the policy.
People — All people selected receive the resource granted by the policy.
From the Assignees accordion, click the Add button above the assignee type to which you are making the assignment.
In the Add Entry pane that appears, search for and select the appropriate assignee.
Enter a number to specify the priority for the RET policy in the Priority field.
This value is used to determine the priority of the RET if the user qualifies for the same RET
by virtue ofvia another assignment, such as being a member of a group that has the same policy. The lower the number, the higher the priority.
Image AddedClick Save.
Image RemovedBack in the main form, click Save.
If you selected Approve All Provisions, you must manually approve each item in the Resource Entitlement Inbox for this policy before EmpowerID will provision the user accounts. This is demonstrated in the next section.
To approve the pending accounts
Image Removed
To approve a RET, click the Approval drop-down and select Approve from the menu.
Image Removed
This adds the approval to your shopping cart.
Image Removed
Image Removed
To verify the RET policy provisioned new licensed users in Office 365
Image Removed
icon | false |
---|---|
title | Related Content |
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
Div | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
Div | style | margin-left: 40px; margin-bottom: 40px
| ||||||||
| ||||||||||
placeholder | Search the documentation | |||||||||
type | page |
Div | ||
---|---|---|
| ||
In this article |
|
IN THIS ARTICLE
Table of Contents | ||||||
---|---|---|---|---|---|---|
|