I Would like some clarification concerning the Azure AD connector, we are on 1IM v7.1.
I don't tested yet the Azure AD connector but I understand that 1IM is able to retrieve azure AD user account and the asssigned 0365 service plan / subscription OOTB. My question is does the version 7.1 is also able to assign/provision 0365 service plan and subscription to user ? If not which 1IM version is able to do this?
FYI : The AAD Administration guide v7.1 state the following
Information about subscriptions and service plans within a tenant is loaded into One Identity Manager during synchronization. Asisgned subscriptions and active service plans are deteremined for the user accounts. You can assign subscriptions to the user accounts. In this way, user accounts obtain the service plans, which are connected to a subscription. You can disable individual service plans. You cannot edit any other subscription and service plan master data.
The green part let me think that yes 1IM is able to provision O365 SKU/COMPONENT, could you confirm me the information?
alain.kong-pouzol said: 1IM is able to assign a SKU to a Azure user (e.g : office 365 entreprise e3) so all the service plans assciated to the sku are also assigned (Skype / Yammer / Office ...) automatically without assigning each service plan to the user in 1IM.
Correct. The services contained i.e. in Office 365 Enterprise E3 change over time as Microsoft adds new services. I think this is the reason, why they implemented the "disabled services" as a blacklist so that new services are active automatically. Otherwise the admin would have to enable a newly added service for each user once those new services go live. 1IM implements this behavior as follows:
When you assign a License/SKU to a User a new record in AADUserHasSubSku is created. This table holds the license assignments for Azure. It also has a DenyList field that is empty by default during creation and also cannot be directly modified by the user. If you want to disable certain services, you create a new record in the AADUserHasDeniedService table. The DB will automatically search for a license assignment AADUserHasSubSku and add the service id to the DenyList attribute. All modifications to AADUserHasSubSku will trigger a provisioning process, that adds/deletes/updates the license assignment in Azure/Office365.
Hope that helps,Stefan