Connecting to Office 365

EmpowerID Office 365 connector uses PowerShell to allow organizations to perform administrative tasks in the connected domain, bringing the user, group and mailbox data in their Office 365 system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data form EmpowerID in the following ways:

  • Account Management

    • Inventory user accounts

    • Create, Update and Delete user accounts (both licensed and unlicensed)

    • Enable and Disable user accounts

  • Group Management

    • Inventory groups

    • Inventory group memberships

    • Create and Delete groups

    • Add and Remove members to and from groups

  • Mailbox Management

    • Inventory mailboxes

    • Create and Delete mailboxes

    • Disable and Enable mailboxes

  • Attribute Flow
    Users in Office 365 are inventoried as accounts in EmpowerID. The below table shows the attribute mappings of Office 365 user attributes to EmpowerID Person attributes.

Office 365 Attribute

Corresponding EmpowerID Attribute


Office 365 Attribute

Corresponding EmpowerID Attribute




First Name of a user



Last Name of a user



Middle Initial of a user


Friendly Name

Display Name of a user



Email of a user



Email Alias of a user



Name of the department of a user



Name of the company of a user



Main home telephone number of a user



Primary mobile phone number of a user



Telephone number for facsimile terminal



Street Address of the user’s company



City of a user



Country where the user’s company is located



Code for postal service for a user



Preferred written or spoken language for a user



Telephone numbers that comply with the ITU Recommendation



Title of a user within their organization



Physical address for postal delivery



UPN that is an internet-style logon name for a user,


The account that EmpowerID uses to connect to Office 365 must have the ability to create a service principal that allows the application to access your Office 365 tenant’s information. By default, EmpowerID uses an Office 365 account with the Global Admin role to create the service principal. If you do not want to use a Global Admin account, you will need to provide a service principal account with either one of the below permissions (depending on whether the service principal account is to be used for tenant administration):

  • Directory Readers permissions — Read permission only; this type of account does not provide tenant administrative capabilities

  • User Account Administrator — This type of account provides user administrative capabilities within the tenant.

The service principal can be created in PowerShell. For more information, see Microsoft’s article at Please note that if you chose to provide your own service principal, the account must be maintained by your organization.


In order to connect EmpowerID to Office 365, the following prerequisites must be met:

  • Your organization must have an Office 365 Business or Enterprise account with Microsoft, and install the specified versions of the following modules on each EmpowerID server you want to use to manage the domain.

  • If your EmpowerID servers have Windows Azure AD Module for Windows PowerShell and MSOnline Sign-In Assistant installed, you must remove them before installing the required version.

  • You must install the following modules in the order indicated:

  1. Windows Management Framework 5.1 
    This version provides functionality that EmpowerID uses to communicate with Office 365, including the newest version of Windows PowerShell.
    Select the file with your server's version in the name, e.g. Win8.1AndW2K12R2-KB3191564-x64.msu for Windows Server 2012-R2.
    This includes Windows Azure Active Directory Module for Windows PowerShell, which provides you with the Office 365 cmdlets to administer Office 365.

  2. To verify the version, in Powershell, run $PSVersionTable.PSVersion 
    The version must be Major 5 Minor 1 or higher.

  3. In PowerShell, run this command:
    Install-Module -name MSOnline -MinimumVersion -MaximumVersion

  4. If you see these messages, enter Y for both.

    • PowerShellGet requires NuGet provider version '' or newer

    • You are installing the modules from an untrusted repository

  5. To confirm the version, in PowerShell, run these two commands: 
    Import-Module MSOnline
    Get-Module MSOnline  

    The version must be
    Version is not compatible

To create an Office 365 account store in EmpowerID

  1. On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.

  2. On the Account Stores page, click Create Account Store.

  3. Under System Types, search for Office 365.

  4. Click Office 365 (MSOL) to select the type and then click Submit.


    This opens the Office 365 Settings form, which is where you enter settings needed by EmpowerID to connect to the system.


  5. Enter the following information in the form:

    • Name — Enter a name for your account store.

    • Display Name — Enter a display name for your account store.

    • Fully Qualified Name — Enter the fully qualified name of your Office 365 account as it was originally issued from Microsoft, e.g.

    • User Name — Enter the email address for the Office 365 account EmpowerID is to use to connect to your Office 365. Please note that if EmpowerID needs to create the service principal for making Graph API calls, this account must be a global administrator.

    • Password — Enter the password for the Office 365 account EmpowerID is to use to connect to your Office 365. Please note that if EmpowerID needs to create the service principal for making Graph API calls, this account must be a global administrator.

  6. When finished, click Submit to create the account store.

  7. EmpowerID creates the account store and the associated resource system. The next step is to configure the attribute flow between the account store and EmpowerID.


Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

Configure account store settings

  1. On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.

    This opens the edit page for the account store. This page allows you to specify the account proxy used to connect EmpowerID to your Office 365 system as well as how you want EmpowerID to handle the user information it discovers in Office 365 during inventory. Settings that can be edited are described in the table below the image.

  2. Edit the account store as needed and then click Save to save your changes.

Next, enable the Account Inbox permanent workflow to allow the Account Inbox to provision or join the user accounts in Office 365 to EmpowerID Persons as demonstrated below.

EmpowerID recommends using the Account Inbox for provisioning and joining.