Office365 provisioning question - aligning UPN prefix and suffix
05-10-2017 08:30 PM
I am using Centrify Cloud Identity Service for a number of apps and now trying to get authentication and provisioning working via Centrify. I have been reading KB-6028 and the post below:
I understand that Centrify does O365 account provisioning using the AD UPN attribute. However, because of legacy reasons our UPN value is different from our primary smtp email address or mail attribute value. To make things worse, before we started implementing Centrify, our users had been using O365 Sharepoint Online. We use the DirSync method to sync AD users to O365 and they have been using their email address to login. I've read about adding the alternative UPN suffix in AD which can be done, but the prefix part of the UPN is different from the email prefix also, i.e. userPrincipalNameemail@example.com vs firstname.lastname@example.org
Would it be possible for our users to keep using their email address to login instead of the UPN attribute once we have cutover O365 auth and provisioning to Centrify?
It's a bit difficult to test the federated auth during business hours as our O365 is now considered in production, so any feedback would be much appreciated!
Solved! Go to Solution.
05-11-2017 12:10 PM
Hello @bazza and welcome to the Centrify Community!
This is pretty common. You can use the Provisioning script to re-write this. In the provisioning script (at the bottom of the Provisioning section of the Office 365 app), you can expand and see an example of how to do this.
If you need to test, be sure to first try using Preview mode for provisioning once Federated so that changes are not started until you are ready. This will impact user login as soon as enabled, whether in preview mode or live mode for a Federated domain.
What you will need is something like this, in the provisioning script section;
destination.UserPrincipalName = source.Email;
This is likely all you will need, as far as mapping goes. Once you add this, and have made sure all Users are in the correct role for license assignment, etc (refer back to the KB you referenced), then use the "Test" button just above the Provisioning script, to see the attribute values which will be sync'd for the User.
Because the Users were previously sync'd over using DirSync/Azure Sync, you will want to use the option to "Sync (overwrite) users to target application when existing users are found with the same principal name" so that the user can continue logging in to their exisitng mailboxes, etc after the sync occurs in Live mode.
Again, use the Test button to confirm the expected attributes will be used before going to Live mode on a production tenant. Even in preview mode, once the domain suffix is Federated, then Users will begin to be re-routed to Centrify to authenticate before their mailbox will load in OWA, and must have matching User names, or a script to re-write them so I would test to confirm the attributes look correct before Federating the domain.
I hope this helps!
05-11-2017 05:07 PM
Thanks again for the response, I have modified the provisioning test and done the test, the upn is exactly the same as the email address in the test output attribute list.I've noticed that the proxyaddress attribute is null in the output even though I checked the Hybrid Exchange option, is this supposed to come up in the test output?
I will proceed testing this weekend with federating, but even with changing this script, the upn in our AD remains not aligned with the upn provisioned by Centrify in Office365, how does Centrify know that the O365 account wth upn j.doe[at]somewhere.new.com is the same as the AD account with upn johnd[at]somewhere.old.com to do the authentication? Sorry if I have missed something in your explanation.
05-15-2017 08:24 AM
Thank you for the update. I think I see what is needed here. Use the following to convert the user's Active Directory 'mail' attribute into the target UserPrincipalName.
var userMail = getSourcePropertyByName("mail"); var userMailConvert = String(userMail).toLowerCase(); destination.UserPrincipalName = userMailConvert ;
I hope this helps achieve your end goal! Let me know if you run into any other issues.
Have a great day!!