Overview

This document serves as an overview and general instruction manual for the external365 application.

External365simplifies the management of external user accounts in Microsoft 365, making it easy to share content and users granted access to a company’s SharePoint online site, but are not licensed within that organization. Please follow to Managing external users in Microsoft Office 365 to find what External365 is.

External365 is designed to operate from within the Microsoft Azure cloud and leverages Microsoft Azure specific technologies (e.g. queues, storage, app services, etc.). It cannot operate from another cloud vendor, nor can it operate from a stand-alone service platform. The external365 application is a multitenant host that can provision any number of discrete Office 365 tenants while maintaining secure separation of services between them.

The external365 application has been installed in the Azure tenant created specifically to host it. Access to that tenant is managed by administrative persons from Immersion Technology Services Inc.

 

Tenant Administrator Control Panel

Access the control panel

To access the tenant administrator control panel, go to the external365 application and click on the gearbox at the top right and select “Control Panel”

Working with control panel

The control panel is separated in two main sections:

Configuration and tools

In this section you will find all the tools to setup and configure the application as well as review system logs and metrics.

In this section you will find:

• -Tenant configuration:
  Allows you to define and manage your tenant settings
  Learn more >

• -System logs:

Allows you to review and download system logs
Learn more >

• -Diagnostic Logs:

Allows you to review and track diagnostic logs
Learn more >

• -System User Activity:

Allows you to review and track user activity and access system logs
Learn more >

• -Bulk Export:

Allows you to download list of users
Learn more >

• -Tenant Metrics:

Allows you to review provisioning metrics for tenants
Learn more >

 

 

Tenant administrator operations

Tenant administrative operations start in the site Control Panel. From the control panel you can review logs, make configuration changes, update notification systems etc.

Configuration management

Tenant Configuration

General Screen – Fill in standard contact information.

 

Field name	Instructions
Tenant Name	Tenant name provided when creating new tenant.
Contact Name	Enter contact person for tenant.
Phone Number	Enter phone number of contact person.
Email	Enter email of contact person.
Preferred Language	Specify the tenant primary language. Primary language will configure email notifications for preferred language.
Licenses	Displays number of licenses purchased.
Diagnostic Logging	This option is used “write” values to custom attributes present on the user account.

 

Settings Screen – Fill in options for user manager user interface. Support can be enabled for user photos. You can also set a theme and a specific logo.

Field name	Instructions
Photo Retrieval	Select where photo will be retrieved (client, server, none).
Result Sort Order	Enter sort order type.
Theme	Enter optional theme.
Logo	Enter logo url.
Extensions	Enable field extensions.
New User	Enable new user wizard UI.

 

Provisioning Defaults – Allows you to set provisioning defaults for users created by the system.

Field name	Instructions
User Domains	Enter principal domain suffixes for users created by the system. These domains will be displayed in the user creation and editing screens as the suffix for users. NOTE: domain names are retrieved from Azure and must be enabled in the O365 tenant as standard (not Federated) domains.
Provisioned Groups	Enter name of groups where new users will be added when being created.
Default Password	Enter RANDOM so that password is randomly generated when creating external user. NOTE: The Must Change Password option forces the user to change their password the first they logon.

 

Mail Settings – Allows you to set up mail sender tenant settings for notification messages.

Field name	Instructions
Email from name	This field can be modified and will show “from” display name when users receive notifications from external 365   NOTE: This will be filled in by the Wizard when the federation metadata is imported.
Email from address	This default address can be modified to show a different from address   NOTE: This will be filled in by the Wizard when the federation metadata is imported.
Password or SendGrid key	Please DO NOT change this if you would like to keep the default email settings from SendGrid. If you change email provider (eg Exchange Online) enter the password associated to the account specified in the email from address NOTE: This will be filled in by the Wizard when the federation metadata is imported.
Smtp relay server	Please do not change this is if you want to maintain the default email provider (SendGrid). You can change provider by changing the value of the relay of the email provider of your choice. Example for Exchange Online its smtp.office365.com.   NOTE: This will be filled in by the Wizard when the federation metadata is imported.

Please Note: If the desired account to send email notifications utilizes MFA, please create a Microsoft App Password and utilize that as the Password for the Mail Settings.

 

Groups– Search and select domain groups you would like available for group assignment when profile is created or edited.

 

Tenant – Tenant settings page controls the WSFederation settings for the tenant.

NOTE: This will be filled in by the Wizard when the federation metadata is imported. If you are authenticating against Azure, you should not change any of these settings. If you are authenticating against ADFS or another WS-Federation IDP, you may have to change the Identity Claim or Role claim to match what that technology produces. In general, it is better for the IDP (ADFS or other) to match the External365 defaults as seen above.

Issuers– Controls additional WS-Federation authentication settings.

NOTE: These settings are extracted from the federation metadata and should not be changed unless directed to do so by Immersion Technology Services support.

Certificates – Controls additional WS-Federation authentication settings.

NOTE: These settings are extracted from the federation metadata and should not be changed unless directed to do so by Immersion Technology Services. There is an automated process that updates these certificates when they change.

Azure Auth – Controls settings for Azure authentication tenants.

 

Field name	Instructions
Azure Tenant ID	Azure Tenant Id field is the “GUID” tenant ID of the users Azure directory
Application ID	This will be the “appId” value retrieved when the Azure Directory App registration was created.
AppKey/Certificate	The security key used for accessing the Azure Directory. In the example above, we used the External365 Default Certificate, so you use the text DefaultCertificate and set the Key is configured certificate name option. You can also use custom certificates or OAuth key pairs. If you want to use this option you should contact Immersion Technology Services support for guidance.
Azure(user/group)	Default Values. Do not change.
Security Groups Only	The Security Groups Only option matches the SecurityGroup setting made in the Manifest for the Azure Directory App registration. This value can also be set to Groups and clear the option here. NOTE: You would only do this if you wanted to include Azure distribution lists in role evaluations.
Test AU settings	The Test AU settings button will verify that all settings work correctly with Azure Directory.

 

Azure Ops – Controls settings for Azure Operation when External365 is managing users.

 

Field name	Instructions
Azure Tenant ID	Azure Tenant Id field is the “GUID” tenant ID of the users Azure directory
Application ID	This will be the “appId” value retrieved when the Azure Directory App registration was created.
Certificate Key	Name of certificate used for operation authentication. If you need to use a custom certificate, contact Immersion Technology Services support for guidance.
SharePoint Site Url:	Root path to the SharePoint Online site that will be included in user provisioning.
SharePoint Id Template	Text template used to decode user membership in the SharePoint user list.
Test OP settings	The Test OP settings button will verify that all settings work correctly with Azure Directory.
Initialize Azure Tenant	The Initialize Azure Tenant button will create schema extensions in the Azure directory that are used by External365 to manage users. You can click this button after you have setup scoped permissions.

 

Permissions – Defines what user can act as operators. Essentially, you need to create a WSFederation claim matching rule that will be checked when the user logs in. If their logon claim has an attribute with that Claim Name and a value that matches the Match Pattern, they will be included as a user operator. If the Enable scoped permissions option is selected, then the tenant will also be enabled for that feature.

NOTE:The purpose of scoped permissions is to provide separation between the tenant operators of different groups of users. For example, given a large community of external users in a company’s Azure tenant, each user is specifically associated with a company division. Each of those divisions has one or more operators who is tasked with managing the users associated with their division. Additionally, there are several operators who are allowed to manage users associated with multiple divisions. This scenario is accommodated by enabling scoped permissions and assigning scopes to operators. This is done by creating groups with the names of the scope in Azure (or in AD if using ADFS). The operators for that scope are made members of the group. In the Tenant permissions configuration for external365, the tenant is “Enabled for Scoped Permissions” and the names for each scope are added to the scoped permissions list. In the example above, assuming three divisions. We would create three security groups in Azure (or in AD using ADFS) named “Technicians”, “Engineers” and “Managers”. Operator one would be a member of “Technicians”. Operator two would be a member of “Engineers” and operator three would be a member of all three groups. The effect would be that operator one would only be able to see, manage and add users to the scope “Technicians”, operator two would be similarly restricted to “Sales” and operator three could manage all three user scopes. For support with advanced configurations, please contact Immersion Technology Services support services.

System logs

Allows you to review and download system logs

Diagnostic logs

Allows you to review and track diagnostic logs

System user activity

Allows you to review and track user activity and access system logs

Bulk Export

Allows you to download list of users

Tenant Metrics

Allows you to review provisioning metrics for tenants

Notification management

In this section will allow you to manage notification contact and messages, manage custom pages and fields.

In this section you will find:

• -Notification contacts:
  Allows you to manage notification contacts
  Learn more >

• -Notification messages:

Allows you to manage notification messages
Learn more >

 

Contact management

Adding New contacts

If you need to create a new contact, click on the New button. The following dialog will appear:

Enter Recipient name, email address and other contact information. Click Ok button to save.

NOTE: To edit an existing contact you can double-click on contact name.

Message management

Notification message

Notification messages are configured with default text and variables.

To change the default text or variables of notification, double-click the notification you would like to edit.

You can change Subject field and notification message.

 

Password Reset

Anyone may request a password reset for an account by visiting the / password reset endpoint for a tenant.

For example, the password reset endpoint for a fictitious Contoso tenant would be https://contoso.external365.com/passwordreset.

The password reset endpoint can be disabled for a tenant, it is enabled by default.