Configuring provisioning for Microsoft 365

Use this task to provision users from Verify to a Microsoft 365 application.

Before you begin

  • You must have a Microsoft 365 account with administrator access.
  • You must have administrative permission to complete this task.
  • Log in to the IBM® Security Verify administration console as an Administrator. For more information, see Accessing IBM Security Verify.
  • The following parameters are required to configure user provisioning in Verify:
    • Domain name
    • Client ID
    • Client Secret

About this task

Provisioning provides the following features.
Create new users
Users who are entitled to the Microsoft 365 application through Verify are also created in the Microsoft 365 application if the user account does not exist.
Delete users
When users lose access to the application in Verify, the corresponding user accounts in the Microsoft 365 application are deprovisioned as specified by the deprovisioning policy.
Modify user profile
Updates made to the user's profile through Verify are pushed to the Microsoft 365 application as specified by the Keep value updated setting for each attribute.
User suspend and restore
Suspending a user through Verify deactivates the user and restoring the user through Verify activates the user in the Microsoft 365 application.
User account synchronization and remediation
The Microsoft 365 application supports user account synchronization, remediation, and group synchronization features.
  • User account synchronization fetches all the target application user accounts in Verify and matches the fetched accounts with users in Verify. The adoption policy that is defined on the application specifies the matching attributes for adoption of the synchronized user accounts.
  • Remediation policy can be configured to remediate user accounts with attribute values that differ between Verify and the target application.
  • Verify Supports the following three remediation policies:
    1. Do not remediate noncompliant accounts automatically.
    2. Update Verify account attribute values with the target application values.
    3. Update target application account attribute values with Verify values.
  • Group synchronization fetches all the target application groups in Verify.
Fine grained entitlement
Group and supporting data synchronization fetches all the Microsoft 365 endpoint groups, administrative roles, and Microsoft 365 licenses in Verify. This supporting data is represented as permissions in Verify and can be assigned to users and groups.

Microsoft 365 licenses contain service plans that can be added to the user. Each such license service plan is fetched and represented as an individual permission in Verify.

For example, the O365_BUSINESS_PREMIUM license plans like PROJECT_O365_P2, DYN365_CDS_O365_P2, MYANALYTICS_P2. These permissions are available as individual for assignment and appear with names as O365_BUSINESS_PREMIUM.PROJECT_O365_P2, O365_BUSINESS_PREMIUM.DYN365_CDS_O365_P2 and O365_BUSINESS_PREMIUM.MYANALYTICS_P2.

Procedure

  1. Log in as an administrator to the Azure Portal by using the following URL:
    https://portal.azure.com
  2. Click Microsoft Entra ID and then click App registrations from the left panel.
  3. Click New registration to add your application.
  4. Specify the following settings in the Register an application page:
    • Name - Provide an appropriate name for your application.
    • Supported account types - Select Accounts in any organizational directory (Any Azure AD directory - Multitenant).
    • Redirect URI - Specify the URI value to redirect the user to after successful authentication.
  5. Click Register to save your application. The application properties page is displayed.
  6. Copy and store the value of Application (client) ID. This is the unique identifier for your application.
  7. From the left menu, navigate to API permissions and click Add a permission.
  8. In the Microsoft APIs tab, click Microsoft Graph.
  9. In the Request API permissions page, choose Application permissions.
  10. Expand the Directory, User and RoleManagement sections to select the Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, and User.ReadWrite.All check boxes.
  11. Click Add a permission to add the selected permissions on the application.
  12. Click Grant admin consent for <Microsoft 365 Organization Name>.
  13. From the left menu, navigate to Certificates & secrets.
  14. In the Client secrets section, click New client secret. Specify a description and choose the Expires duration for the client secret. Click Add to add a client secret.
  15. Copy the client secret value and use it for application configuration in Verify.
  16. Required: Must include the following parameters to configure user provisioning in Verify.
    • DomainName - The tenant identifier. For example, the tenant ID or domain name.
    • Client ID - The Application (client) ID that is assigned to your application.
    • Client Secret - The application secret that you generated for your application.
  17. Follow the steps to manage schema extensions on Microsoft 365 by using Verify:
    • Select the created application profile with the custom attributes. For more information, see Configuring custom schema support for Microsoft 365.
    • Under Attribute mapping for target attributes, map the Microsoft 365 Schema Extensions with the appropriate Verify attributes.