Office 365 User & Group Provisioning¶
Office 365 customers can be managed by their hosting partners using the CSP model.
This allows for hosting partner personnel to administrate the subscription without needing any direct connection with the customer itself.
SMBBlueprint simplifies the initial provisioning of O365 users and (private) Office groups for a CSP tenant by providing a Powershell-based deployment workflow.
Starting the deployment¶
The cmdlet New-SMBOfficeDeployment can be used to initiate the deployment.
The deployment needs to be started with a certain set of parameters that specify both the connection info towards the target tenant (PowerShell-parameters), as well as a CSV file that contains the user and group payload to be provisioned.
Note: For the full explanation of the parameters, refer to the PowerShell documentation of the Office deployment cmdlet.
The deployment needs a valid CSV file with the following information:
- First (the first-name of the user)
- Last (the last-name of the user)
- Title (the user's title or function)
- DisplayName (currently not in use)
- Department (the user's department)
- Office (the user's office location)
- Mobile (the user's mobile phone number)
- Country (the user's country, expressed as an ISO-code)
- Groups (the group to which the user should belong)
- If the group is mentioned for the first time, the associated user will be set as owner. Subsequent users that have the same group specified will be a regular member.
- The created groups will be private Office Groups
- Licenses (the licenses to assign to the user, expressed as the SKU code and separated with the '|' character, which can be found using get-msolaccountsku -TenantId \<ID of your CSP tenant>)
- You can get the tenant-id's under your CSP account by connecting to your root Azure AD with 'Connect-MSOLService' and then querying the tenants with 'Get-MSOLPartnerContract -All|select DefaultDomainName,TenantId'
Before this solution is used, a validated custom domain needs to be present in the tenant's configuration.
By default, the tenant domain that is marked as default will be used as primary mail suffix. A specific domain can be chosen by providing the '-MailDomain
Note: While using the standard <TenantName>@onmicrosoft.com suffix is not blocked, the user won't be able to send/receive mails.
A parameter 'DefaultPassword' can be passed. This sets the initial logon for ALL users in the CSV to a specific password. If the parameter is omitted, a random password is generated.
Before starting the provisioning, a few conditions are checked: The CSP credential must be valid The entered Tenant ID or Domain must be present in the CSP partner's directory * Note: Do not confuse the tenant-domain with the tenant's own domains. The tenant domain is the value that is shown in the CSP portal, and not the tenant's admin portal! * The licenses specified in the CSV-file must not be more that the ones available in the subscription
CSP Admin account¶
Not all resources can be reliably deployed by the CSP model currently. This consists of: Onedrive For Business Office 365 groups
To work around this limitation, the deployment will use the CSP credential to create an admin user within the tenant itself, and proceed to use this last one to configure the restricted resources. The password for this user is randomly generated and renewed everytime the SMbBlueprint solution is ran. This means that the CSP admin user can not be used for login without manually resetting the password. The password is not stored in any outputs.
When all checks are passed OK, the CSV information is used to commence the actual provisioning.
This happens in the following order: 1) Create the users in the tenant's Azure AD, set the password and license information If a user already exists, no action is performed 2) Connect to the Exchange interface of O365 and create the groups. Assign ownership based on the CSV-information. If a group already exists, no action is performed 3) Populate the standard memberships for the created groups 4) Bulk provision all created users' OneDrive using the Sharepoint Online Management shell
When the provisioning completes, an object is returned containing the following information: Type (the deployment-type. This will be 'Office' for deployments started with this function) Duration (the duration of the deployment) Status (Provides status-information for the deployment) * Configuration (contains several outputs of the deployment) * ProvisionedUsers (a list of all provisioned users including login-information) * ProvisionedGroups (a list of all provisioned office groups) Completed (equals 'TRUE' if the deployment is done) Error (if an exception occured during the deployment, it will be stored here) Log (the full location of the logfile for the deployment)