%extensions; %DocBookDTD; %entities; ]>

UCS offers an integrated Identity Management System.Through the Univention Management Console, users and groups among others can easily be administered.Depending on the installed services, these identities are made available through different interfaces e.g.via LDAP. The management system can be extended With the help of provided extensions, also called Apps.Thus users or groups can also be replicated in cloud services.In the App center there are also among others extensions for Microsoft Office 365 or G suit. Thanks to Single Sign-On (SSO), users can log in with their usual password and immediately get to work online in the cloud.The password remains in the company's network and is not transferred to the cloud service. The following chapter describes how to set up the Microsoft Office 365 Connector.

The synchronization of users and groups to an Azure Directory Domain, which will then be used by Office 365, is made possible by the Microsoft Office connector.Therefore making it possible to control which of the users created in UCS can use Office 365. The selected users will be provisioned accordingly by UCS into the Azure Active Directory domain. There configurations on which attributes are to be synchronized and which are to be anonymized are made. The Single Sign-On log-in to Office 365 is via the UCS integrated SAML implementation.Authentication takes place against the UCS server, and no password hashes are transmitted to Microsoft Azure Cloud.The user's authentication is done exclusively via the client's Web browser.This(the web-browser) should however be able to resolve the DNS names of the UCS domain,this is a particularly important point to note for mobile devices.

To use Microsoft Office 365 Connector the following are needed; a Microsoft Office 365 Administrator account, a corresponding Account in the Azure Active Directory, as well as one from Microsoft verified Domain are needed. The first two are provided for test purposes by Microsoft for free.However to configure the SSO, a separate Internet domain where TXT records can be created is required. In case there is no Microsoft Office 365 subscription available, it can be done via and configured in the ,and for free trial for business section. A connection is not possible with a private Microsoft account. You should then log in with a Office 365 Administrator Account. In the Office 365 Admin Center,at the bottom left of the navigation bar select Azure AD.This opens Azure Management Portal in a new window. Under the menu item Domains , your own domain can now be added and verified. For this it is necessary to create a TXT record in the DNS of your own domain. This process can take up to several minutes.After which the status of the configured domain will be displayed as checked. Now the Microsoft Office 365 App can be installed from the App Center on the UCS system. The installation takes a few minutes. There is a setup wizard available for the facility. The installation completes with the completion of the wizard thus the connector is ready for use.

At the end of the installation through the setup wizard,Users can be provisioned or configured to use office 365. This configuration can be done through the user module on each user object on theOffice 365 tab.Usage and allocation of Licenses are acknowledged in the Office 365 Admin Center. If a change is made to the user, the changes are likewise replicated to the Azure Active Directory domain. There is no synchronization from the Azure Active Directory to the UCS system. This means changes made in Azure Active Directory or Office Portal may be overridden by changes to the same attributes in UCS. Due to Azure Active Directory security policies, users or groups in the Azure AD can't be deleted during synchronization.They are merely disabled and renamed. The licenses are revoked in the Azure Active Directory so that they become available to other users.Users and groups whose names start with ZZZ_deleted can be deleted in Office 365 Admin Center. It is necessary to configure a country for the user in Office 365. The connector uses the specification of the Country from the contact data of the user if not set, it uses the setting of the server. With the help of &ucsUCRV; office365/attributes/usageLocation can be used to specify a 2-character abbreviation, eg DE. Through &ucsUCRV; office365/attributes/sync,the LDAP attributes (eg first name, last name, etc.) of a user's account which is to be synchronized are configured.This deals with a comma-separated list of LDAP attributes.Thus making adaptation to personal needs easily possible. With the &ucsUCRV;office365/attributes/anonymize, you can specify comma-separated LDAP attributes that are created in the Azure Active Directory but filled with random values. The Univention Configuration Registry variables office365/attributes/static/.* allows the filling of attributes on the Microsoft side with a predefined value. The &ucsUCRV;office365/attributes/never can be used to specify comma separated LDAP attributes that should not be synchronized even when they appear in office365/attributes/sync or office365/attributes/anonymize. The Univention Configuration Registry variableoffice365/attributes/mapping/.* defines a mapping of the UCS LDAP attributes to Azure Attributes.Actually these variables don't need to be changed.The synchronization of the groups of Office 365 user can be enabled with the &ucsUCRV;office365/groups/sync Changes to UCR variables are implemented only after restarting the Univention Directory Listener.

Messages during the Setup are logged in /var/log/univention/management-console-module-office365.log file. In case of synchronization problems, the log file of the Univention Directory Listener should be examined: /var/log/univention/listener.log. With the help of &ucsUCRV;Office365/debug/werror. More debug output can also be activated.