External365 Administration guide

Picture 3

 

 

 

Overview

This document serves as an overview and general instruction manual for the external365 application.

External365 is designed to operate from within the Microsoft Azure cloud and leverages Microsoft Azure specific technologies (e.g. queues, storage, app services, etc.). It cannot operate from another cloud vendor, nor can it operate from a stand-alone service platform. The external365 application is a multitenant host that can provision any number of discrete Office 365 tenants while maintaining secure separation of services between them.

The external365 application has been installed in the Azure tenant created specifically to host it. Access to that tenant is managed by administrative persons from Immersion Technology Services Inc.

 

Tenant Administrator Control Panel

Access the control panel

To access the tenant administrator control panel, go to the external365 application and click on the gearbox at the top right and select “Control Panel

Picture 1192868528

Working with control panel

The control panel is separated in two main sections:

Picture 7

Configuration and tools

In this section you will find all the tools to setup and configure the application as well as review system logs and metrics.

In this section you will find:

  • -Tenant configuration:
    Allows you to define and manage your tenant settings
    Learn more >

  • -System logs:

Allows you to review and download system logs
Learn more >

  • -Diagnostic Logs:

Allows you to review and track diagnostic logs
Learn more >

  • -System User Activity:

Allows you to review and track user activity and access system logs
Learn more >

  • -Bulk Export:

Allows you to download list of users
Learn more >

  • -Tenant Metrics:

Allows you to review provisioning metrics for tenants
Learn more >

 

 

Tenant administrator operations

Tenant administrative operations start in the site Control Panel. From the control panel you can review logs, make configuration changes, update notification systems etc.

Picture 7

Configuration management

Tenant Configuration

General Screen – Fill in standard contact information.

Picture 1

 

Field name

Instructions

Tenant Name

Tenant name provided when creating new tenant.

Contact Name

Enter contact person for tenant.

Phone Number

Enter phone number of contact person.

Email

Enter email of contact person.

Preferred Language

Specify the tenant primary language. Primary language will configure email notifications for preferred language.

Licenses

Displays number of licenses purchased.

Diagnostic Logging

This option is used “write” values to custom attributes present on the user account.

 

 

Settings Screen – Fill in options for user manager user interface. Support can be enabled for user photos. You can also set a theme and a specific logo.

Picture 5

Field name

Instructions

Photo Retrieval

Select where photo will be retrieved (client, server, none).

Result Sort Order

Enter sort order type.

Theme

Enter optional theme.

Logo

Enter logo url.

Extensions

Enable field extensions.

New User

Enable new user wizard UI.

 

Provisioning Defaults – Allows you to set provisioning defaults for users created by the system.

Picture 904913841

Field name

Instructions

User Domains

Enter principal domain suffixes for users created by the system. These domains will be displayed in the user creation and editing screens as the suffix for users. NOTE: domain names are retrieved from Azure and must be enabled in the O365 tenant as standard (not Federated) domains.

Provisioned Groups

Enter name of groups where new users will be added when being created.

Default Password

Enter RANDOM so that password is randomly generated when creating external user.

NOTE: The Must Change Password option forces the user to change their password the first they logon.

 

Mail Settings – Allows you to set up mail sender tenant settings for notification messages.

Picture 959514132

Field name

Instructions

Email from name

This field can be modified and will show “from” display name when users receive notifications from external 365

 

NOTE: This will be filled in by the Wizard when the federation metadata is imported.

 

Email from address

This default address can be modified to show a different from address

 

NOTE: This will be filled in by the Wizard when the federation metadata is imported.

Password or SendGrid key

Please DO NOT change this if you would like to keep the default email settings from SendGrid. If you change email provider (eg Exchange Online) enter the password associated to the account specified in the email from address

NOTE: This will be filled in by the Wizard when the federation metadata is imported.

Smtp relay server

Please do not change this is if you want to maintain the default email provider (SendGrid). You can change provider by changing the value of the relay of the email provider of your choice. Example for Exchange Online its smtp.office365.com.

 

NOTE: This will be filled in by the Wizard when the federation metadata is imported.

 

Groups – Search and select domain groups you would like available for group assignment when profile is created or edited.

Picture 140636655

 

Tenant – Tenant settings page controls the WSFederation settings for the tenant.

NOTE: This will be filled in by the Wizard when the federation metadata is imported. If you are authenticating against Azure, you should not change any of these settings. If you are authenticating against ADFS or another WS-Federation IDP, you may have to change the Identity Claim or Role claim to match what that technology produces. In general, it is better for the IDP (ADFS or other) to match the External365 defaults as seen above.

Picture 1839434306

Issuers – Controls additional WS-Federation authentication settings.

Picture 859107727

NOTE: These settings are extracted from the federation metadata and should not be changed unless directed to do so by Immersion Technology Services support.

Certificates – Controls additional WS-Federation authentication settings.

Picture 549962783

NOTE: These settings are extracted from the federation metadata and should not be changed unless directed to do so by Immersion Technology Services. There is an automated process that updates these certificates when they change.

Azure Auth – Controls settings for Azure authentication tenants.

Picture 1936044078

 

Field name

Instructions

Azure Tenant ID

Azure Tenant Id field is the “GUID” tenant ID of the users Azure directory

Application ID

This will be the “appId” value retrieved when the Azure Directory App registration was created.

AppKey/Certificate

The security key used for accessing the Azure Directory. In the example above, we used the External365 Default Certificate, so you use the text DefaultCertificate and set the Key is configured certificate name option. You can also use custom certificates or OAuth key pairs. If you want to use this option you should contact Immersion Technology Services support for guidance.

Azure(user/group)

Default Values. Do not change.

Security Groups Only

The Security Groups Only option matches the SecurityGroup setting made in the Manifest for the Azure Directory App registration. This value can also be set to Groups and clear the option here. NOTE: You would only do this if you wanted to include Azure distribution lists in role evaluations.

Test AU settings

The Test AU settings button will verify that all settings work correctly with Azure Directory.

 

Azure Ops Controls settings for Azure Operation when External365 is managing users.

Picture 1379740948

 

Field name

Instructions

Azure Tenant ID

Azure Tenant Id field is the “GUID” tenant ID of the users Azure directory

Application ID

This will be the “appId” value retrieved when the Azure Directory App registration was created.

Certificate Key

Name of certificate used for operation authentication. If you need to use a custom certificate, contact Immersion Technology Services support for guidance.

SharePoint Site Url:

Root path to the SharePoint Online site that will be included in user provisioning.

SharePoint Id Template

Text template used to decode user membership in the SharePoint user list.

Test OP settings

The Test OP settings button will verify that all settings work correctly with Azure Directory.

Initialize Azure Tenant

The Initialize Azure Tenant button will create schema extensions in the Azure directory that are used by External365 to manage users. You can click this button after you have setup scoped permissions.

 

Permissions – Defines what user can act as operators. Essentially, you need to create a WSFederation claim matching rule that will be checked when the user logs in. If their logon claim has an attribute with that Claim Name and a value that matches the Match Pattern, they will be included as a user operator. If the Enable scoped permissions option is selected, then the tenant will also be enabled for that feature.

Picture 1495158462

NOTE: The purpose of scoped permissions is to provide separation between the tenant operators of different groups of users. For example, given a large community of external users in a company’s Azure tenant, each user is specifically associated with a company division. Each of those divisions has one or more operators who is tasked with managing the users associated with their division. Additionally, there are several operators who are allowed to manage users associated with multiple divisions. This scenario is accommodated by enabling scoped permissions and assigning scopes to operators. This is done by creating groups with the names of the scope in Azure (or in AD if using ADFS). The operators for that scope are made members of the group. In the Tenant permissions configuration for external365, the tenant is “Enabled for Scoped Permissions” and the names for each scope are added to the scoped permissions list. In the example above, assuming three divisions. We would create three security groups in Azure (or in AD using ADFS) named “Technicians”, “Engineers” and “Managers”. Operator one would be a member of “Technicians”. Operator two would be a member of “Engineers” and operator three would be a member of all three groups. The effect would be that operator one would only be able to see, manage and add users to the scope “Technicians”, operator two would be similarly restricted to “Sales” and operator three could manage all three user scopes. For support with advanced configurations, please contact Immersion Technology Services support services.

System logs

Allows you to review and download system logs

Picture 1

Diagnostic logs

Allows you to review and track diagnostic logs

Picture 13

System user activity

Allows you to review and track user activity and access system logs

Picture 5

Bulk Export

Allows you to download list of users

Picture 9

Tenant Metrics

Allows you to review provisioning metrics for tenants

Picture 8

Notification management

In this section will allow you to manage notification contact and messages, manage custom pages and fields.

In this section you will find:

  • -Notification contacts:
    Allows you to manage notification contacts
    Learn more >

  • -Notification messages:

Allows you to manage notification messages
Learn more >

 

Contact management

Picture 17

Adding New contacts

If you need to create a new contact, click on the New button. The following dialog will appear:

Picture 18

Enter Recipient name, email address and other contact information. Click Ok button to save.

NOTE: To edit an existing contact you can double-click on contact name.

Message management

Picture 19

Notification message

Notification messages are configured with default text and variables.

To change the default text or variables of notification, double-click the notification you would like to edit.

Picture 20

You can change Subject field and notification message.

 

Password Reset

Anyone may request a password reset for an account by visiting the / password reset endpoint for a tenant.

For example, the password reset endpoint for a fictitious Contoso tenant would be https://contoso.external365.com/passwordreset.

Picture 768

The password reset endpoint can be disabled for a tenant, it is enabled by default.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Article is closed for comments.