Configure Office 365 Provisioning

REQUIRED ACCOUNT/PERMISSION LEVEL

Bitium: All account levels; must be an Admin to set up

Office 365: Businss account; must be a global admin to set up

In Azure Active Directory:

  1. Go to your Azure Management portal (Office 365 admin center -> ADMIN -> Azure AD).

  2. Click “Active Directory” and select your Office 365 Active Directory.

    Select Active Directory

  3. Click “Applications” and then click “ADD” at the bottom of the window to add new application.

  4. Select “Add an application my organization is developing.”

    Add an application

  5. Enter the following values:

  6. Click the application and select “configure.”

  7. Enter the Reply URL: https://www.bitium.com/users/auth/azure/callback

    Enter Reply URL

  8. Copy the “Client ID.”

    Copy Client ID

  9. Generate a key by selecting a duration and copy the “key.” (Copy the key value after you save changes.)

    Save the Client ID and key to a notepad as you will need these again shortly.

  10. Scroll down to the “permissions to other applications” section. In the “Application Permissions” dropdown, check the following values:

    • Read and write directory data

      Select Application Permissions

  11. In the “Delegated Permissions” dropdown, check the following values:

    • Read and write directory data
    • Sign in and read user profile

    Select Delegated Permissions

  12. Click ‘save’ at the bottom of the window to save the changes.

In Bitium :

  1. Click “Manage Organization.”

  2. Click “Manage Apps.”

  3. Click “Add Apps.”

  4. Search “Office 365.”

  5. Add the app as an individual account and click “Install App.”

  6. Click “Go to Office 365.”

  7. Click the “Connector” tab.

  8. Click “approve access” to allow Bitium to connect with Office 365.

    Approve Access

  9. Enter the following values:

    • Client Key: Paste the client ID you copied in Step 8 in Azure into the Client Key field.
    • Client Secret: Paste the key you copied in Step 9 in Azure into the Client Secret field.
    • Office 365 Default Domain: the default <company>.onmicrosoft.com domain your company is using.
    • Office 365 Federated Domain: the domain you have just verified and ready to configure for single sign-on.
  10. Click “Confirm.” You will be asked sign into Office 365. Sign in with a global admin account.

    Configure Office 365 Details

  11. You should receive an “authorization succeeded” message and the connector will show a green “connected” status button.

    Verify Connector Status

Configuring Immutable ID:

Before enabling Single Sign-on through SAML or WS Trust, Immutable ID must be set for all users. There are two possible cases where immutable ID needs to be assigned. It is recommended to follow these steps even if you are not planning to enable SSO for now.

Case 1: Mapping Existing Accounts

  1. To assign users to Office 365, click “Assign Users.” You will be shown list of users who have Office 365 accounts. Bitium will map any existing Office 365 accounts with existing Bitium accounts (Bitium maps by email).

  2. Click the checkbox to map the users, and then click “Done” to finish assigning the app to the user.

  3. In order to associate existing Office 365 Users with accounts in Bitium, we will need to reset their existing “Immutable IDs”.

    Note: Make sure the email domain matches the domain set for your Bitium org. Bitium will only import users from the federated domain and NOT the default domain (i.e. users who have a UPN like user@company.onmicrosoft.com will not be imported.

  4. Save the following Powershell script in a file named update_user_immutableid.ps1

    $temp=$args[1]
    $user=$args[0]
    if (!$temp -or !$user)
    {
      Write-Host "Please enter proper values for temporary UPN and user UPN"
      return
    }
    $b  = [System.Text.Encoding]::UTF8.GetBytes($user)
    $encoded = [System.Convert]::ToBase64String($b)
    Set-MsolUserPrincipalName -UserPrincipalName $user -NewUserPrincipalName $temp | out-null
    Set-MsolUser -UserPrincipalName $temp -ImmutableId $encoded
    Set-MsolUserPrincipalName -UserPrincipalName $temp -NewUserPrincipalName $user
    
  5. We will then run this script for each user in the domain that needs to be migrated. For example, to update “jon@company.com” we would run the following command:

    .\update_user_immutableid.ps1 "jon@company.com" "temp@company.onmicrosoft.com"
    

    Note: Please make sure the first argument is the user that already has a federated UPN and second argument is a temp account for and the domain of temp account is your default domain. No output indicates success.

Case 2: Creating New Accounts

  1. To assign users in Bitium who do not have Office 365 accounts, click “Assign Users.”
  2. Click the checkbox for the users whom you would like to create accounts for in Office 365. Bitium will create Office 365 accounts for these users and automatically assign them an immutable ID.
  3. Select ‘create a new user account’
  4. Enter a mailnickname value (don’t add spaces or special characters or numbers in this field)
    • Edit the email to avoid special characters and numbers as Azure AD will not accept this as a valid UPN. This email field will be mapped to UPN.
    • Edit the email if the domain of the UPN displayed by default is different from your federated domain.
  5. Assign licenses to each user from your Office 365 admin control panel.

Case 2: Creating New Accounts w/ group provisioning

  1. Assign “Office 365” app to a group with users.
  2. All users nested in the group will be provisioned Office 365. For any users in the group that do not have Office 365, Bitium will auto-provision new accounts. All newly created accounts will be assign an ImmutableID.