[Index]
MICROSOFT
Overview
To allow VOSS Automate to manage and provision Microsoft applications, VOSS Automate must be able to authenticate with Microsoft Entra, PowerShell proxy servers (one or more) Microsoft Teams, and Microsoft Exchange Online.
This task sets up the authentication between MS 365, MS Teams, and VOSS Automate, and sets up the PowerShell proxy server.
Note
Microsoft changed the name of Azure Active Directory to Microsoft Entra ID in August 2023.
To access the flowcharts, view the topic via the release documentation at: https://documentation.voss-solutions.com/automate.html
Note
For details around the URLs, ports, and protocols that VOSS Automate uses to connect to the PowerShell proxy and the Microsoft 365 tenant, and which the PowerShell proxy uses to connect to the tenant, see:
"Network Communications External to the Cluster" in the VOSS Automate Installation Guide or Platform Guide.
Devices for Microsoft UC Application Setup
The table describes the devices configured for Microsoft UC application setup (authentication, authorization, and PowerShell proxy):
Device | Description |
Microsoft Graph API | Used for managing cloud-based apps. VOSS Automate uses Microsoft Graph API to interact with Microsoft Entra. Registering VOSS Automate as an application object in Microsoft Entra provides authentication and authorization for VOSS Automate. |
PowerShell Proxy Servers | VOSS Automate accesses and provisions Microsoft Teams using PowerShell. Authentication and authorization are enforced on the PowerShell proxy and in the Microsoft 365 tenant. |
Microsoft Teams | VOSS Automate uses the PowerShell proxy server and the Microsoft Teams PowerShell module to manage MS Teams settings. PowerShell scrips authenticate to Microsoft Teams using Basic Authentication, and credentials associated with a service account in the tenant. |
Exchange Online | VOSS Automates uses the PowerShell proxy server and Microsoft Exchange Online PowerShell module to manage MS Exchange Online components. VOSS Automate authenticates using app-only authentication, which requires a certificate and private key installed on the PowerShell proxy. |
VOSS Automate uses the Microsoft Graph API (if available) to manage cloud-based applications, such as Microsoft Entra.
Note
When available, the Microsoft Graph API is the preferred choice, for the following reasons:
As the Microsoft Graph API matures, VOSS Automate can easily be updated to leverage new Graph functionality; new templates can be added, and existing ones can be updated. Template updates can be deployed with no downtime or service impact.
If the Microsoft Graph API is not available, and for on-premise applications, VOSS Automate uses Windows PowerShell, along with PowerShell management modules provided by Microsoft. In this case, VOSS Automate requires access to at least one Windows computer to use as the PowerShell proxy server.
VOSS Automate manages Microsoft Teams and Microsoft Exchange Online using the PowerShell proxy servers running Windows PowerShell. The PowerShell proxy servers execute remote PowerShell cmdlets.
The table describes how PowerShell Proxies may be used to manage on-premise or cloud-based applications:
On-premise apps | Join the PowerShell proxy server to the domain under management. If using VOSS Automate to manage multiple on-premises customer domains, add at least one domain-joined PowerShell proxy for each domain. |
Cloud-based apps | Use a PowerShell proxy server to manage multiple Microsoft 365 tenants. A PowerShell proxy that manages only cloud-based applications can optionally be configured as a workgroup server. |
Authentication and authorization may be enforced in two places:
When using Windows PowerShell for Microsoft apps management, VOSS Automate creates separate PowerShell sessions via the PowerShell proxy servers for each Microsoft application being managed for a specific customer tenant or domain.
All PowerShell sessions for a particular customer may be hosted by the same PowerShell proxy server, or you can configure a separate PowerShell proxy server for each PowerShell session. Optionally, the PowerShell proxy servers hosting the PowerShell sessions may be dedicated for this purpose exclusively.
Related Topics
Windows Server includes the "Windows Remote Management" (WinRM) service, which implements the "Web Services-Management" protocol (WSMan):
Once connected, VOSS Automate pushes PowerShell scripts (which it generates "on the fly") to the PowerShell proxy, and instructs WinRM to execute the scripts and return the results. The Microsoft Teams and Exchange Online Management PowerShell modules (provided by Microsoft) then connect to the Microsoft 365 tenant.
Related Topics
PowerShell Proxy Server Domain Membership
PowerShell proxy servers may be joined to a Microsoft Entra domain.
Domain membership is required if you're using VOSS Automate to manage or extract data from any on-premises component, such as Skype for Business Server, on-premises Microsoft Entra, or on-premises Exchange Server.
Domain membership is optional in all other scenarios.
Deploying two or more PowerShell proxy servers provides redundancy. PowerShell proxy servers can be scaled and made highly available by interposing a load balancer between VOSS Automate and the PowerShell proxy servers.
Load balancer requirements:
When deploying VOSS Automate as a multi-node cluster and the load balancer is configured in "IP Affinity" mode, each Unified Node will have all its requests routed to the same PowerShell proxy.
A properly configured load balancer will distribute the overall load from all the Unified Nodes across the deployed PowerShell proxy servers. When a PowerShell proxy goes out of service the load balancer will route incoming traffic to the surviving servers, bypassing the failed one.
Related Topics
Some organizations require all traffic outbound to the public Internet (including traffic to Microsoft 365 tenants) to traverse an outbound Internet proxy server for audit logging and, optionally, authentication.
Related Topics
VOSS Automate uses the Microsoft Graph API at https://graph.microsoft.com over TCP port 443 to interact with Microsoft Entra.
Microsoft's application registration process provides authentication and authorization services for VOSS Automate. For details, see Create Application Registration in Tenant Portal
You can configure the permissions granted to the VOSS Automate application based on the management use cases for which VOSS Automate has been designated. For example, you can grant permission to VOSS Automate to manage end user license assignments, or you can withhold that permission (in which case VOSS Automate will only be able to view existing license assignments, limiting the VOSS Automate workflows available to you).
For details around the permissions that VOSS Automate requires, see Step 3: Add Microsoft Graph API Permissions
VOSS Automate uses the PowerShell proxy and the Microsoft Teams PowerShell module to manage Microsoft Teams end user, service, device policies, and telephony settings.
The PowerShell scripts authenticate to the Microsoft Teams tenant using Basic Authentication.
Note
The Microsoft Teams PowerShell module currently only supports Basic Authentication.
The PowerShell scripts authenticate using the credentials associated with a service account in the tenant. The tenant service account must be granted sufficient privileges to perform Microsoft Teams end user, service, and device management, and it must not have multi-factor authentication enabled.
Note
To enhance the security of the connection between the PowerShell proxy server(s) and your Microsoft Teams tenant, you may wish to consider using Conditional Access to restrict management access by the service account to specific static IP addresses associated uniquely with your PowerShell proxy server(s).
For more information around Conditional Access, see What is Conditional Access? | Microsoft Docs.
You must assign at minimum the following role to the service account used for managing Microsoft Teams:
Role | Description |
---|---|
Teams Administrator | Provides full access to all MS Teams, manages service requests, and monitors service health. Use cases:
|
VOSS Automate uses the PowerShell proxy server, along with Microsoft's Exchange Online PowerShell module, to manage MS Exchange Online user mailboxes, shared mailboxes, room mailboxes, and distribution groups.
VOSS Automate uses app-only authentication for Microsoft Exchange Online.
Note
For more information about app-only authentication, see App-only authentication | Microsoft Docs.
For app-only authentication, you will need to create an X.509 certificate with a private key. The certificate and private key must be installed on the PowerShell proxy server.
When registering the VOSS Automate Application Object with Microsoft Entra, you will upload the certificate (with only the public key) and assign Exchange Online API permissions and an appropriate RBAC role to the application.
You will then provision the certificate's thumbprint in VOSS Automate so that VOSS Automate can pass the thumbprint to the PowerShell proxy. The PowerShell proxy uses the certificate identified by the thumbprint to authenticate with Exchange Online.
Microsoft Entra permission for managing Exchange Online
VOSS Automate requires the following Microsoft Entra permission to manage Exchange Online:
Microsoft Entra | Description |
---|---|
Exchange.ManageAsApp | Allows a registered application to access Exchange Online resources |
RBAC role for managing Exchange Online
VOSS Automate requires the following RBAC role for managing Exchange Online:
RBAC Role | Description |
---|---|
Exchange Administrator | Users with this role have global permissions within Microsoft Exchange Online. Also can create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. |
Note
For custom administrator user roles, ensure the associated Access Profile allows for all operations on all MS Exchange models; that is: Access Profile type: device/msexchangeonline/*
For details, see Access Profile Permissions and Operations.
To access the latest documentation, go to Documentation and Resources at: https://voss.portalshape.com
Introduction
VOSS Automate can be used to manage multiple applications within Microsoft's Unified Communications stack including Azure Active Directory, Microsoft Teams, and Exchange Online, and on-premises Active Directory, Skype for Business Server, and Exchange Server.
Where it is available, VOSS Automate utilizes the Microsoft Graph API to manage cloud-based applications such as Azure Active Directory. Where the Graph API is not available, and for on-premises applications, VOSS Automate uses Windows PowerShell along with Microsoft-provided PowerShell management modules. Because PowerShell is native to Microsoft Windows, VOSS Automate requires access to at least one Windows computer that will, in turn, execute remote PowerShell cmdlets on VOSS Automate's behalf. In this document we will refer to these computers as "VOSS Automate PowerShell Proxies", or simply "PS Proxies". For management of on-premises applications the PS Proxy must be joined to the domain under management. This means that if you are using VOSS Automate to manage multiple on-premises customer domains you need at least one domain-joined PS Proxy for each of those domains. For cloud-based applications a PS Proxy can be used to manage multiple Microsoft 365 tenants. A PS Proxy that manages only cloud-based applications can optionally be configured as a workgroup server.
The Microsoft Graph API is the preferred choice when it is available due to its greater simplicity, lack of the need for an intervening proxy, lower latency, more secure authentication options, and more granular permissions management. As the Graph API matures, VOSS Automate can easily be updated to leverage new Graph functionality by adding new templates or updating existing ones. These template updates can be deployed with no downtime or service impact.
Where Graph is not available, VOSS Automate brings PowerShell into play. VOSS Automate creates, via a PS Proxy, a separate PowerShell session for each of the Microsoft applications being managed for a specific customer tenant or domain. All the PowerShell sessions for a particular customer may be hosted by the same PS Proxy, or you can configure a separate PS Proxy for each session. The PS Proxies hosting these PowerShell sessions may be dedicated for this purpose exclusively, but this is not required. PS Proxies can be scaled and made highly available by interposing a load balancer between VOSS Automate and the proxies.
Microsoft Authentication, Authorization, and Security Considerations
Note
For specific details regarding the URLs, ports, and protocols that VOSS Automate uses to connect to the PowerShell Proxy (described below) and to the Microsoft 365 tenant, and that the PowerShell Proxy uses to connect to the tenant, refer to:
the "Network Communications External to the Cluster" section of the VOSS Automate Installation Guide or Platform Guide.
VOSS Automate uses the Microsoft Graph API at https://graph.microsoft.com over TCP port 443 to interact with Azure Active Directory. Microsoft's application registration process provides authentication and authorization services for VOSS Automate. Permissions granted to the VOSS Automate application can be fine-tuned based on the management use cases for which VOSS Automate has been designated. For example, you can grant permission to VOSS Automate to manage end user license assignments, or you can withhold that permission (in which case VOSS Automate will only be able to view existing license assignments, limiting the VOSS Automate workflows available to you). The table below identifies the permissions that VOSS Automate requires, and the use cases that each of those permissions enables.
Permission | Description | Management Use Case |
User.Read.All | Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization. |
|
User.ReadWrite.All | Allows the app to read and write the full set of profile properties, group membership, reports and managers of other users in your organization. Also allows the app to create and delete non-administrative users. Does not allow reset of user passwords. |
|
Organization.Read.All | Allows the app to read the organization and related resources. Related resources include things like subscribed SKUs and tenant branding information. |
|
PowerShell Proxy Server
VOSS Automate manages Microsoft Teams and Microsoft Exchange Online using one or more PowerShell Proxy servers running Windows PowerShell. Authentication and authorization are enforced in two places within this topology: on the PowerShell Proxy itself, and in the Microsoft 365 tenant.
Windows Server includes a service called "Windows Remote Management" (WinRM), which implements the "Web Services-Management" protocol (WSMan). VOSS Automate connects to the Windows Remote Management (WinRM) service on the PS Proxy and then uses that service to execute commands from the set provided by the Microsoft Teams and Microsoft Exchange PowerShell modules.
To connect to the WinRM service on the PS Proxy, VOSS Automate provides credentials for an elevated, local service account on that server. Once connected, VOSS Automate pushes PowerShell scripts that it generates "on the fly" to the PS Proxy, then instructs WinRM to execute those scripts and return the results. The Microsoft-provided "Microsoft Teams" and Exchange Online Management PowerShell modules, in turn, connect to the Microsoft 365 tenant.
Microsoft Teams
VOSS Automate manages Microsoft Teams end user, service, and device policies and telephony settings using the PowerShell Proxy server described above, along with Microsoft's Teams PowerShell module.
When the PowerShell scripts need to authenticate to the Microsoft Teams tenant, they do so using Basic Authentication, which is the only authentication mechanism currently supported by the Microsoft Teams PowerShell module. The scripts authenticate using the credentials associated with a service account in the tenant. That service account must be granted sufficient privileges to perform Microsoft Teams end user, service, and device management, and it must not have multi-factor authentication enabled.
To enhance the security of the connection between the PowerShell Proxy server(s) and your Microsoft Teams tenant, you may wish to consider using Conditional Access to restrict management access by that service account to specific static IP addresses associated uniquely with your PowerShell Proxy server(s).
For more information regarding Conditional Access refer to
What is Conditional Access in Azure Active Directory? | Microsoft Docs.
The service account used to manage Microsoft Teams must be assigned, at a minimum, the following role:
Role | Description | Management Use Case |
---|---|---|
Skype for Business Administrator | Full access to all Teams and Skype features, Skype user attributes, manages service requests, and monitors service health. |
|
Exchange Online
VOSS Automate manages Exchange Online user mailboxes, shared mailboxes, room mailboxes, and distribution groups, using the PowerShell Proxy server described above, along with Microsoft's Exchange Online PowerShell module. For authentication, VOSS Automate utilizes app-only authentication, as described in App-only authentication | Microsoft Docs.
This authentication method requires the creation of an X.509 certificate with a private key, both of which are installed on the PowerShell Proxy. When registering the VOSS Automate Application Object with Azure AD as described below, you will upload that certificate (with only the public key) and assign Exchange Online API permissions and an appropriate RBAC role to the application. You will then provision the certificate's thumbprint in VOSS Automate. VOSS Automate passes that thumbprint to the PowerShell proxy, which in turn uses the certificate identified by the thumbprint to authenticate with Exchange Online.
The table identifies the application permission and RBAC role that VOSS Automate requires for Exchange Online management:
Permission / Role | Description |
---|---|
Azure AD permission: Exchange.ManageAsApp | Permission required for a registered application to access Exchange Online resources |
RBAC Role: Exchange Administrator | Users with this role have global permissions within Microsoft Exchange Online. Also can create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. |
For custom administrator user roles, ensure the associated Access Profile allows for all operations on all MS Exchange models, in other words, Access Profile type: device/msexchangeonline/*. For details, see Access Profile Permissions and Operations.
Azure Active Directory Tenant Setup for VOSS Automate Application Registration
For VOSS Automate to use Microsoft Graph to access Azure Active Directory, you will have to register an Application Object with Azure AD. The Application Object describes VOSS Automate to Azure AD and can be considered the definition of the VOSS Automate application. This definition allows the Azure AD service to issue authentication tokens to the VOSS Automate service.
Be prepared to record three important pieces of information as you proceed through these steps. You will need all three of these values later, when you set up the tenant connection on VOSS Automate.
You can retrieve your Tenant and Client IDs from your Azure Active Directory portal at any time. Your Client secret will be exposed only once, as noted below, so be sure to save that value in a secure location at that time. (As an analogy it may be useful to think of the combination of your Tenant ID and Client ID as if it were a login name, and your Client secret as if it were a password. From a security perspective you should treat these values as if they were administrative login credentials.)
You will have to be signed in as a Global Administrator to complete the following steps.
Sign into the Azure portal using your Global Administrator credentials.
If you have access to multiple tenants, use the Directory + Subscription filter in the top toolbar to select the tenant in which you wish to register the VOSS Automate application.
Select Azure Active Directory under Favorites in the navigation bar. If Azure Active Directory is not listed under your Favorites, select All services and then search for and select Azure Active Directory.
Under Manage select App registrations, then select New registration.
Enter a name for your application, for example "VOSS Automate". Users of your application might see this name. You can change it later.
Select Register.
Under Manage select Certificates & secrets.
Under Client secrets select New client secret. Enter a description and select an expiration, then click Add.
Record the secret value in a safe location for use when setting up VOSS Automate.
Important
This is your only opportunity to save the secret value. Once you leave this screen you will no longer be able to retrieve it. If you lose this secret value you will have to delete the secret and repeat the steps for creating a new client secret.
Under Manage select API permissions, then select Add a permission.
Select Microsoft Graph.
Select Application permissions. Referring to the table below, select only the permissions associated with the use cases for which you wish to enable VOSS Automate management. Once you have selected all the relevant permissions, click Add permissions.
Azure Active Directory – Minimum Required Permissions
Management Use Case | Required Permission |
---|---|
List Azure AD users | User.Read.All |
Retrieve Azure AD user properties | User.Read.All |
Retrieve Azure AD user license details | User.Read.All |
Update Azure AD user properties | User.ReadWrite.All |
Update Azure AD user license assignment | User.ReadWrite.All |
List subscribed SKUs (subscribed, used, and available licenses) | Organization.Read.All |
Retrieve subscribed SKU details, including service plans included in the SKU | Organization.Read.All |
Under Configured permissions select Grant admin consent for <your tenant>. Answer Yes to the confirmation prompt at the top. Note that the status of each of the listed permissions has changed from Not granted to Granted.
If you will be using VOSS Automate to manage Exchange Online, complete the next section (Create Service Account for Microsoft Teams Management via PowerShell), then set up the PowerShell Proxy as described in PowerShell Proxy Setup.
After you have set up the PowerShell Proxy return here and continue with the next step.
Return to the app page for your application. (If you have navigated away from there, or if you have had to log in again, you can find that page by selecting Azure Active Directory from your dashboard's All services page, then under Manage selecting App registrations, then selecting your application from the Owned applications tab.)
Under Manage select Manifest.
In the manifest page that opens, scroll down until you locate the line containing the word requiredResourceAccess. Place your cursor at the beginning of the very next line and paste the following text at that location:
{ "resourceAppId": "00000002-0000-0ff1-ce00-000000000000", "resourceAccess": [ { "id": "dc50a0fb-09a3-484d-be87-e023b12c6440", "type": "Role" } ] },
Before:
After:
When you are finished, click Save. Stay on the Manifest page.
Under Manage select API permissions. Verify that your previously-configured Microsoft Graph permissions are still present, and that Exchange.ManageAsApp now appears. Also note that the status of Exchange.ManageAsApp is currently "Not granted for..."
Select Grant admin consent for <your tenant>, and click Yes. Confirm that the status of Exchange.ManageAsApp has changed to "Granted for...".
Leave this page open as we will return to it later.
Sign into the PowerShell Proxy using the service account that you created for VOSS Automate and open an elevated PowerShell window. In that window you will create and install on the proxy a self-signed certificate with private key. You will then export the certificate without its private key. Use the following PowerShell commands to accomplish this:
# Create the certificate and install in the current user store $mycert = New-SelfSignedCertificate -DnsName 'your public domain' -CertStoreLocation 'cert:\CurrentUser\My' -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange # Export the certificate to a .cer file $mycert | Export-Certificate -FilePath "$($env:USERPROFILE)\mycert.cer" # Extract the certificate thumbprint $mycert.Thumbprint
The final PowerShell command above displays the certificate's thumbprint. You will need this value when setting up the connection parameters in VOSS Automate, so copy it and save it for later.
You will now upload the certificate you just exported in the previous step to Azure. Make sure the .cer file you created is accessible, then from the Azure Active Directory page where you left off, under Manage select Certificates & secrets.
Under Certificates select Upload certificate, then on the Upload certificate page navigate to your exported certificate.
Click Add.
Navigate back to your Azure Active Directory Overview page (select Azure Active Directory from All services). Under Manage select Roles and administrators. Scroll down the list of roles until you reach Exchange administrator. Click on the name (not the checkbox).
On the Assignments page select Add assignments. On the Add assignments page search for and select your application.
Click Add.
Create Service Account for Microsoft Teams Management via PowerShell
In this procedure we will create the service account that the PowerShell Proxy will use when performing Microsoft Teams management activities using PowerShell.
When setting up the connection parameters in VOSS Automate you will need the user name, domain name, and password that you specify in this procedure.
At a minimum you will need the "User administrator" role to complete this procedure.
MICROSOFT
Note
References in this section to "PowerShell Proxy" refer to the MS Windows host running PowerShell commands. References to just "Proxy" refer to the HTTP proxy server that the the Windows PowerShell host uses to access the tenant in the cloud.
This procedure configures the following connections:
Prerequisites:
You will need:
The FQDN or IP address of a single-node PowerShell Proxy, or the FQDN corresponding to your load balancer's virtual IP address. See PowerShell Proxy Setup
The credentials for the local service account you created on the PowerShell Proxy
Proxy authentication credentials (if the outbound Internet Proxy requires authentication)
Note
Authenticated proxy is not supported.
The client ID and tenant ID
Either the client secret (supported for Teams and Graph only, not Exchange) or the certificate (supported for Teams, Graph, and Exchange, and mandatory for Exchange), that you created when registering Automate as an application object with Microsoft Entra ID. For greater security, certificate is preferred. See Create Application Registration in Tenant Portal.
To add and configure the Microsoft Tenant
Log in to the Automate Admin Portal as a Provider administrator.
Note
By default, the Provider administrator role is the only role that has the ability to create Tenant connections.
To add a new tenant, go to (default menus) Apps Management > Microsoft Tenant, then:
At the Tenant fieldset, fill out a name and a description for the tenant.
At Microsoft Application Authentication, fill out values for the application authentication:
Note
See Application Registration for configuring application registration.
Fill out the Client ID and Tenant ID values recorded in the application registration setup. See Shared Central App Registration.
Note
The tenant ID and the client ID identify the tenant in the Microsoft cloud.
Select a certificate from the drop-down.
Note
It is strongly recommended that you use a certificate and not a secret. Secret is used only if you don't select a certificate. If you have a certificate and you select it here, the certificate is used for authentication for MS Graph, MS Teams, and MS Exchange.
If you're using MS Exchange, you must use a certificate as secrets are not supported for MS Exchange.
The value for Certificate Thumbprint is auto-populated when you select the certificate.
If you set up Shared Central App Registration with the certificate you'll need to import the certificate into Automate then select it here when adding the tenant.
You can either:
At PowerShell Server Authentication:
At Host, fill out the FQDN or IP address of a single-node PowerShell proxy, or the FQDN corresponding to your load balancer's virtual IP address.
Note
For details around the local hosts file and the TrustedHosts WinRM configuration, see PowerShell Proxy Setup.
At Username and Password, fill out the credentials for the local service account you created on the PowerShell Proxy. See PowerShell Proxy Setup.
At Microsoft Teams Admin Account, ignore these fields unless you must use basic authentication (basic auth).
By default, the Resource Account Basic Authentication checkbox is clear (disabled), which means that you can only import (sync in) resource accounts. You'll need to enable this functionality to add, modify, or delete resource accounts with basic auth in Automate. However, once Microsoft enforces multifactor authentication, the ability to add, modify, or delete resource accounts in Automate will no longer be possible, regardless of whether this checkbox is selected.
Important
Basic auth requires service account credentials and will stop working when Microsoft enforces multifactor authentication on all service accounts (starting July 2024). It is strongly recommended that you use application authentication instead of basic auth. See Application Registration. If you must use basic auth, you'll need to contact VOSS support for assistance to set up the required service account.
At PowerShell Server HTTP proxy, configure the outbound internet proxy connection parameters:
If you have an outbound internet proxy deployed between the PowerShell proxy and the public internet, select Use HTTP Proxy.
Note
If the outbound Internet proxy requires authentication, select Use HTTP Proxy Authentication, fill out a username and password.
Note
You will have already provisioned the outbound internet proxy's IP address (or FQDN) and port number when you set up the PowerShell proxy. See PowerShell Proxy Setup, and note the caveat regarding proxy authentication in Deployment Topology Options.
Add Microsoft 365 details to the Microsoft tenant:
At MS 365 proxy / MS 365 secure proxy, set the outbound internet proxy server if required for traffic outbound to the public internet.
The proxy setup defines the route for the MS Graph API communications that the system uses for communication with the MS 365 Cloud tenant.
Note
In both cases the host can be a FQDN if resolvable via DNS or the IP address of the internet proxy.
At Max page size for MsolUser, define the maximum number of records to retrieve at a time from the API related to device/msgraph/MSOLUser.
For optimal performance, leave this field blank to use the default value, 999.
At Max page size for Groups, define the maximum number of records to retrieve at a time from APIs related to device/msgraph/Grou.
For optimal performance, leave this field blank to use the default value, 999.
Note
For both MsolUser and Groups (starting from 21.4-PB4), the memory limit handling of requests has been increased, so that any previous explicit specification of max page size values less than 999 may not be required anymore, or can be increased substantially.
At Microsoft Exchange:
If you're using Automate to manage Microsoft Exchange online, select Enable Microsoft Exchange.
At Admin Domain, specify the Microsoft Exchange admin domain (the domain of the tenant) used to authenticate.
Note
The Admin Domain field displays once you select Enable Microsoft Exchange.
Click Save.
Note
When saving the tenant with the certificate selected, the certificate is deployed to the PowerShell proxy and installed. You can then import the certificate on the tenant App registration in Microsoft Entra for authentication of all apps (MS Exchange, Teams, and Graph).
Test your Microsoft tenant connection. You will be prompted to confirm the test.
Note
In this step you're verifying that Automate can connect to the Microsoft tenant using the Teams and Exchange Powershell modules on the Windows server as well as using the Graph API on the Automate platform.
Modifying a Microsoft Tenant
Modifying a Microsoft tenant will only overwrite those driver parameters in the underlying connections (MSTeamsOnline, MSExchangeOnline, MSGraph) that are managed by the tenant workflows. Other driver parameters will be left as is.
Next Steps
Important
For release 21.5-PB5, Multivendor environments using the data/MultivendorUsernameMappingMacros model at a hierarchy below sys level require an additional update. High level administrators with access to this model should ensure instances include:
"username_macro_ms_365": [ "{{ input.UserPrincipalName }}", "(( fn.is_none_or_empty input.username == fn.true ))<NOT_FOUND>(( data.User.username | username:input.username != '' ))<{{ data.User.username | username:input.username }}><NOT_FOUND>", "(( fn.is_none_or_empty input.username == fn.true ))<NOT_FOUND>(( data.User.username | username_ms_365:input.username != '' ))<{{ data.User.username | username_ms_365:input.username }}><NOT_FOUND>", "(( fn.is_none_or_empty input.UserPrincipalName == fn.true ))<NOT_FOUND>(( data.User.username | email:input.UserPrincipalName != '' ))<{{ data.User.username | email:input.UserPrincipalName}}><NOT_FOUND>", "(( fn.is_none_or_empty input.UserPrincipalName == fn.true ))<NOT_FOUND>(( data.User.username | username_ms_365:input.UserPrincipalName != '' ))<{{ data.User.username | username_ms_365:input.UserPrincipalName }}><NOT_FOUND>", "(( fn.is_none_or_empty previous.UserPrincipalName == fn.true ))<NOT_FOUND>(( data.User.username | username_ms_365:previous.UserPrincipalName != '' ))<{{ data.User.username | username_ms_365:previous.UserPrincipalName }}><NOT_FOUND>", "(( fn.is_none_or_empty input.UserPrincipalName == fn.true ))<NOT_FOUND>(( data.User.username | username_ms_teams:input.UserPrincipalName != '' ))<{{ data.User.username | username_ms_teams:input.UserPrincipalName }}><NOT_FOUND>", "(( fn.is_none_or_empty previous.UserPrincipalName == fn.true ))<NOT_FOUND>(( data.User.username | username_ms_teams:previous.UserPrincipalName != '' ))<{{ data.User.username | username_ms_teams:previous.UserPrincipalName }}><NOT_FOUND>", "(( fn.is_none_or_empty input.UserPrincipalName == fn.true ))<NOT_FOUND>(( device.cucm.User.userid | userIdentity:input.UserPrincipalName != '' ))<{{ device.cucm.User.userid | userIdentity:input.UserPrincipalName }}><NOT_FOUND>", "(( fn.is_none_or_empty input.UserPrincipalName == fn.true ))<NOT_FOUND>(( device.cucm.User.userid | mailid:input.UserPrincipalName != '' ))<{{ device.cucm.User.userid | mailid:input.UserPrincipalName }}><NOT_FOUND>" ],
Perform a sync from the Microsoft tenant to import Microsoft users, tenant dial plan, licenses, and policies to the customer level. You will be prompted to confirm the syncs.
For Microsoft Exchange, ensure that instances for all 4 device models (User mailboxes, Shared Mailboxes, Room Mailboxes, and Distribution Mailboxes) are synced in at the level were the tenant exists.
Configure the customer-wide site defaults doc (SDD), CUSTOMER_TEMPLATE. See Site Defaults Doc Templates.
Add network device lists (NDLs) with Microsoft 365 and Microsoft Teams tenant details. NDLs are required when adding sites. See Configure a Network Device List.
Create sites.
Run the overbuild. See: Overbuild for Microsoft.
Go to VOSS Automate Configuration and Sync
Related Topics
Microsoft Overview in the Core Feature Guide
Microsoft Sync Overview in the Best Practices Guide
To access the latest documentation, go to Documentation and Resources at: https://voss.portalshape.com
This procedure adds a Microsoft tenant at a customer hierarchy, for Microsoft 0365 and Microsoft Teams.
Note
You will need to add a Microsoft tenant at each customer hierarchy.
Pre-requisites:
Perform these steps:
Log in to the Admin portal as provider level admin (or higher).
Go to (default menu) Apps Management > Microsoft Tenant.
Click the Plus icon (+) to add a tenant.
On the organization level picker, choose the customer where you're adding the tenant.
Configure the Tenant name and description. See: Microsoft Configuration Setup.
Configure the Microsoft Teams PowerShell proxy host service account credentials:
Note
For the Windows PowerShell proxy host setup, see the Microsoft Windows PowerShell Proxy Server Installation and Upgrade Guide.
Host | The Windows PowerShell host service account name, either a host name or IP address. |
Username | The Windows PowerShell host service account username. |
Password | The Windows PowerShell host service account password. |
Configure the Microsoft Teams HTTP Proxy, which serves as an intermediary between VOSS-4-UC and Microsoft Teams:
Use HTTP Proxy | Defines whether to use the internet (HTTP) proxy, if one is set up between the Windows PowerShell and the Microsoft Cloud. |
Use HTTP Proxy Authentication | Defines whether the HTTP proxy server requires credentials. When set to True, Username and Password are mandatory. |
Username | Windows PowerShell proxy username required for the HTTP proxy server. Mandatory when Use HTTP Proxy Authentication is set to True. |
Password | Windows PowerShell proxy password for the HTTP proxy server. Mandatory when Use HTTP Proxy Authentication is set to True. |
In Microsoft Teams, configure credentials for the VOSS-4-UC admin account used to access Microsoft Teams. See Microsoft Configuration Setup.
In Microsoft 0365, configure application credentials assigned by Azure:
Client ID | The client ID (application ID) assigned by the Azure application registration portal. See: Microsoft Configuration Setup. |
Tenant ID | Enter your unique Microsoft 365 tenant globally unique ID (GUID). See Microsoft Configuration Setup. |
Secret | Enter your secret passphrase (Microsoft Graph API secret authentication, either a client ID password or public/private key pair certificate, used to access Microsoft Cloud service resources). See: Microsoft Configuration Setup. |
Click Save. The customer tenant is created.
Click the Sync All toolbar icon. A full pull sync is triggered from the Microsoft Cloud to import Microsoft users, tenant dial plan, licenses, and policies to the customer level. Wait for all data to sync in. Go to Next Steps.
Next Steps
Related Topics
Microsoft Overview in the Core Feature Guide
Network Device Lists (NDL) in the Core Feature Guide
Introduction
This procedure configures the PowerShell proxy servers and installs the Microsoft Teams PowerShell module.
Note
You will need to perform the following tasks:
Step 1: Create Server-local Service Account
VOSS Automate must use a server-local service account for accessing the PowerShell Proxy server. It must not be a domain account (should the server be domain-joined).
This task is mandatory.
Create a local service account with the following properties:
Account Type | Local Computer Account (not a domain account) |
Local Group Membership |
|
Sign out of the server, then sign back in using the credentials for the service account you just created. Perform the remainder of the tasks in this section using this account.
Step 2: Configure PowerShell Proxy for Redundancy
Important
This task is only required if you're deploying multiple PowerShell Proxy servers behind a load balancer. If you do not have any concerns around redundancy, you can skip this task.
This procedure adds a Fully Qualified Domain Name (FQDN) to the local hosts file on each PowerShell Proxy server you're deploying. Each PowerShell Proxy server must be able to address itself with the FQDN corresponding to the load balancer's virtual IP address.
Perform these steps:
PS C:\WINDOWS\system32> notepad C:\Windows\System32\drivers\etc\hosts
# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. 127.0.0.1 localhost psproxy.domain.com # ::1 localhost
Step 3: Configure the Outbound Internet Proxy
This procedure configures a PowerShell Proxy server to use an outbound Internet proxy.
Important
This step is only required if your deployment is using an outbound Internet proxy to access the public Internet (including Microsoft tenants).
Prerequisites:
Perform these steps:
Sign into the PowerShell Proxy server using the local service account that VOSS Automate will use to connect to the proxy.
Open Windows Settings and go to Network & Internet > Proxy.
Under Manual proxy setup enable Use a proxy server.
In the Address field, fill out the IP address or FQDN of the outbound Internet proxy server.
In the Port field, fill out the port number required by the proxy.
Note
The port is typically 3128, but your organization may require a different port.
Select Don't use the proxy server for local (intranet) addresses.
Click Save.
Note
This is a per-user configuration, so ensure you sign in using the VOSS Automate service account.
To make this configuration the default setting for all HTTP clients, open an elevated PowerShell session, and issue the following command:
netsh winhttp import proxy source=ie
Step 4: Configure WinRM
This procedure configures the Windows Remote Management (WinRM) service with the appropriate settings for VOSS Automate.
VOSS Automate uses the Web Services-Management protocol (WSMan) to create the PowerShell sessions that manage Microsoft UC applications.
On Windows computers, the Windows Remote Management (WinRM) service implements WSMan.
You will need to configure WinRM on a PowerShell Proxy running on Windows Server 2019.
Note
Any firewalls between VOSS Automate and the PowerShell Proxy, including Windows Firewall on the proxy, must permit the connections listed in the following table, which describes WinRM Firewall Settings.
These firewall exceptions are enabled by default in Windows Server 2019.
Service | Protocol | Port |
---|---|---|
WinRM 2.0 (HTTP) | TCP | 5985 |
WinRM 2.0 (HTTPS) | TCP | 5986 |
Perform these steps:
Enable-WSManCredSSP -Role Server -Force Enable-WSManCredSSP -Role Client -DelegateComputer \* -Force Set-Item WSMan:\localhost\Service\AllowUnencrypted $true Set-Item WSMan:\localhost\Service\Auth\Basic $true Set-Item WSMan:\localhost\Client\AllowUnencrypted $true Set-Item WSMan:\localhost\Client\Auth\Basic $true Set-Item WSMan:\localhost\Client\TrustedHosts '{server identity}'
Note
When setting the TrustedHosts value, you'll need to provide the identity of the server on which you're executing these commands:
For example, assume the server's FQDN is psproxy01.domain.com and its IP address is 10.1.1.10. If the server is not behind a load balancer, the value for TrustedHosts (including the quotes) will be:
'10.1.1.10,psproxy01.domain.com'
If the server is behind a load balancer, and the FQDN of the load balancer's virtual interface is psproxy.domain.com, then provide the following value for TrustedHosts, including the quotes:
'10.1.1.10,psproxy01.domain.com,psproxy.domain.com'
Step 5: Install Software Management Components
This procedure installs the following software components on a new PowerShell Proxy server:
Before you start
The Install-Module command used in Step 2: Install Microsoft Teams PowerShell Module and Step 3: Install Microsoft ExchangeOnlineManagement Module downloads the specified PowerShell module from the PowerShell Gallery (an online repository).
Since the PowerShell Gallery has deprecated the use of TLS versions earlier than TLS 1.2, you will need to force Windows PowerShell to use TLS 1.2, which will allow the Install-Module command to work correctly. TLS 1.2 is the default in Windows Server 2019 and later. If you're using an earlier release of Windows Server, use the following command to force PowerShell to use TLS 1.2:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
The command is relevant only for the current PowerShell session (its effect persists only until you close the PowerShell window and end the session). Errors such as the following when using the Install-Module command are likely the result of a TLS version mismatch: "Unable to resolve package source", "No match was found…"
Browse to https://dotnet.microsoft.com.
Navigate to the download for .NET Framework 4.8 Runtime, or do an Internet search for ".NET Framework 4.8 download".
Note
Ensure you only download from a URL ending in "microsoft.com". The authenticity of software downloaded from third-party websites cannot be guaranteed.
Download and run the .NET Framework 4.8 Runtime installer.
Note
Once the installation completes, you may need to reboot the server.
To upgrade any PowerShell proxies that have already been deployed, perform these steps:
Starting with VOSS Automate version 21.3-PB1, the required MS Teams PowerShell module v4.3.0. If you're upgrading existing PowerShell proxy servers, perform the following steps (on each PowerShell proxy server) to use the supported version of the MS Teams module (v4.3.0).
Exit any existing PowerShell and PowerShell ISE windows.
From an elevated (run as Administrator) PowerShell window:
Stop-Service WinRM Uninstall-Module MicrosoftTeams Install-Module MicrosoftTeams -RequiredVersion 4.3.0 -AllowClobber Start-Service WinRM
Verify
Get-Module -ListAvailable -Name MicrosoftTeams
The output should show version 4.3.0
$cred = Get-Credential
Enter MS Teams tenant admin credentials in the pop-up.
Connect-MicrosoftTeams -Credential $cred Get-CsOnlineUser -ResultSize 1
The output should display the details for one random user.
To install MS Teams PowerShell module on a new PowerShell proxy, perform this step:
From an elevated PowerShell session issue the following command:
Install-Module MicrosoftTeams -RequiredVersion 4.3.0
From an elevated PowerShell session issue the following command:
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.5
Note
Check with VOSS in case a newer version of the ExchangeOnlineManagement module is recommended.
Step 6: Test the Tenant Connection
This procedure tests the connection to Microsoft Teams from a non-privileged PowerShell session.
Perform these steps:
From a PowerShell session, configure a test session for an outbound Internet proxy (if your PowerShell Proxy server is behind an outbound Internet proxy that requires authentication):
$w = New-Object System.Net.WebClient $w.Proxy.Credentials = (Get-Credential) (when prompted, enter your outbound proxy credentials)
Note
The credentials you enter above persist only for the duration of this PowerShell session, and are deleted when you exit the PowerShell session.
See the caveat regarding proxy authentication, at: Deployment Topology Options
Issue the following command to test the connection to Microsoft Teams and to perform a test query:
Connect-MicrosoftTeams -Credential (Get-Credential) Get-CsOnlineUser -ResultSize 1 | Select DisplayName
When prompted, enter your Teams service account credentials.
Note
Perform step 1 first if your PowerShell Proxy is behind an outbound Internet proxy that requires authentication.
Verify that you have successfully connected to the tenant and retrieved one random user.
In this section we will provision the connections from VOSS Automate to the PowerShell Proxy, and from the PowerShell Proxy and your tenant. We will also provision the Graph API connection between VOSS Automate and the tenant.
Sign into VOSS Automate as a Provider Administrator (the only role that, by default, has the ability to create Tenant connections).
Go to (default menus) Apps Management > Microsoft Tenant.
Click the Add icon and select the hierarchy level where you wish to add the tenant. This will typically be at the customer level.
Enter a name and a description for this tenant.
Next steps: Provision the PowerShell Proxy connection parameters.
Provision the PowerShell Proxy Connection Parameters
On the Microsoft Tenant page, locate the Microsoft Teams Powershell fields.
In the Host field enter the FQDN or IP address of a single-node PowerShell Proxy, or the FQDN corresponding to your load balancer's virtual IP address.
Note
Refer to the notes regarding the local hosts file and the TrustedHosts WinRM configuration in the VOSS Automate PowerShell Proxy Configuration section above.
In the Username and Password fields enter the credentials for the local service account you created on the PowerShell Proxy.
Next steps: Provision the outbound internet proxy configuration.
On the Microsoft Tenant page, locate the Microsoft Teams HTTP Proxy fields.
If there is no outbound Internet proxy deployed between the PowerShell Proxy and the public Internet, leave both checkboxes unchecked, and the Username and Password fields blank. Continue with the next step.
If there is an outbound Internet Proxy deployed between the PowerShell Proxy and the public Internet, select the Use HTTP Proxy checkbox.
If the outbound Internet proxy requires authentication, select the Use HTTP Proxy Authentication checkbox, and enter the proxy authentication credentials in the Username and Password fields.
Note
You will have already provisioned the outbound Internet proxy's IP address (or FQDN) and port number when you set up the PowerShell Proxy. Refer to the VOSS Automate PowerShell Proxy Configuration section above. Also please note the caveat regarding proxy authentication in the Deployment Topology Options section above.
Next steps
Provision the Microsoft Teams Tenant Service Account Credentials
On the Microsoft Tenant page, locate the Microsoft Teams fields.
In the Admin Username and Admin Password fields, enter the credentials for the Microsoft Teams tenant service account.
You created this account earlier. See Create Service Account for Microsoft Teams Management via PowerShell.
Next Steps
Provision the Azure Active Directory Application Registration Parameters
In the Azure Active Directory Tenant Setup for VOSS Automate Application Registration section above you registered your VOSS Automate application. You should have captured the "Secret" value at that time.
If you did not capture your Client ID and Tenant ID, you can do so at any time from the Azure AD portal.
In this section, you will need to:
Next steps: Add Microsoft 365 details to the Microsoft tenant.
Now fill out the Microsoft 365 details on the Microsoft Tenant page:
Next Steps
Provision the Exchange Online Application Certificate Thumbprint
At this step you'll add the certificate authentication thumbprint generated on the Azure portal for Microsoft Exchange. You would have installed this certificate on the PowerShell proxy server and configured it in the application registration.
Note
The certificate thumbprint is the encrypted password required for an authenticated connection to the Microsoft Cloud Exchange portal. Connecting to Microsoft Exchange is required to sync in the Microsoft Exchange objects (mailboxes, shared mailboxes, rooms, and distribution lists).
To add the certificate thumbprint for Exchange to the Microsoft tenant:
Log in to VOSS Automate.
Go to Apps Management > Microsoft Tenant.
Locate the Microsoft Exchange fields.
Are you using VOSS Automate to manage Exchange Online?
No. Clear the Enable Microsoft Exchange checkbox. Go to step 5.
Yes.
Select Enable Microsoft Exchange.
In the Certificate Thumbprint field, paste the certificate thumbprint you obtained earlier.
Note
You obtained the certificate thumbprint when logged into the PowerShell proxy to register the VOSS Automate application with Azure Active Directory. See Azure Active Directory Tenant Setup for VOSS Automate Application Registration.
The certificate thumbprint was created on the proxy and uploaded to the Azure portal. When generating PowerShell scripts to manage Microsoft Exchange Online, VOSS Automate includes this thumbprint so that the PowerShell proxy can use the corresponding certificate to authenticate with Microsoft Exchange Online.
Click Save.
Next Steps
Test your Microsoft tenant connections. See Test Tenant Connection
Perform a sync from the Microsoft tenant to import Microsoft users, tenant dial plan, licenses, and policies to the customer level.
For Microsoft Exchange, ensure that instances for all 4 device models (User mailboxes, Shared Mailboxes, Room Mailboxes, and Distribution Mailboxes) are synced in at the level were the tenant exists.
Configure the customer-wide site defaults doc (SDD), CUSTOMER_TEMPLATE. See Site Defaults Doc Templates.
Add network device lists (NDLs) with Microsoft 365 and Microsoft Teams tenant details. NDLs are required when adding sites. See Configure a Network Device List.
Create sites.
Run the overbuild. See: Overbuild for Microsoft.
Go to VOSS Automate Configuration and Sync
Test Tenant Connection
Verify that VOSS Automate can connect to the Microsoft Teams tenant using PowerShell, and to Azure Active Directory using the Microsoft Graph API.
Related Topics
Microsoft Overview in the Core Feature Guide
This relation implements the workflows to manage Microsoft Tenant connection parameters and enabled services.
Title | Description | Details | |||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Tenant | Group Assigned by FDP |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Name * | Microsoft Tenant user defined name can have a max length of 255 charactors within the following regex pattern - ^[a-zA-Z0-9-_ ]+$ |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Description | Microsoft Tenant user defined description can have a max length of 255 charactors. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Microsoft Application Authentication | Group Assigned by FDP |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Client ID * | The Client ID or Application ID located in the Azure AD app registration portal. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Tenant ID * | The Tenant ID or Directory ID located in the Azure AD app registration portal. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Certificate | A locally stored certificate the public portion of which has been previously uploaded in the Azure AD app registration portal. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Certificate Thumbprint | Certificate Thumbprint for a certificate which has been previously uploaded in the Azure AD app registration portal. Required for Exchange. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Secret | A Client secret previously created in the Azure AD app registration portal. Not used for Exchange. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Powershell Server Authentication | Group Assigned by FDP |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Host * | Windows powershell host, serves as an intermediary between VOSS and Microsoft Teams, can be an IP address or a host name up to 255 charactors. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Username * | Windows powershell host service account. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Password * | Windows powershell host password of the above service account. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Microsoft Teams Admin Account | Group Assigned by FDP |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Admin Username | Username of an admin account used by VOSS to access Microsoft Teams. Required to use device models which do not support application authentication. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Admin Password | Admin password of the above account. Required to use device models which do not support application authentication. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Resource Account Basic Authentication | Enable basic authentication for resource accounts |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Powershell Server HTTP Proxy | Group Assigned by FDP |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Use HTTP Proxy | Use Proxy is for when there is an internet proxy set up between the powershell server and the internet. Setting it to true will make the powershell script make use of it properly so that it can get to the MS cloud. There is another setting use_proxy_auth which comes into play only if use_proxy is true which will do additional configuration when the internet proxy requires auth Default: false |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Use HTTP Proxy Authentication | The proxy server through which the powershell server connects to the cloud requires credentials. Default: false |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Username | Username for the proxy server through which the powershell host connects to the cloud. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Password | Password for the proxy server through which the powershell host connects to the cloud. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Microsoft 365 | Group Assigned by FDP |
|
|||||||||||||||||||||||||||||||||||||||||||||||
MS 365 proxy | Define the HTTP Proxy String as follows: https://user:password@server/ E.g. https://myuser:[email protected]:3128/ NOTE: Special characters in either the user or password sections must be URL Encoded |
|
|||||||||||||||||||||||||||||||||||||||||||||||
MS 365 secure proxy | Define the HTTP Proxy String as follows: https://user:password@server/ E.g. https://myuser:[email protected]:3128/ NOTE: Special characters in either the user or password sections must be URL Encoded |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Max page size for MsolUser | Controls the number of records retrieved at a time from the device/msgraph/MSOLUser related API. Leaving it blank uses a default of 999 for optimal performance. Only modify this value if you encounter sync errors (e.g., 'Template output exceeded memory limit'), where you can specify a smaller value to resolve the issue. Note that reducing the value may affect sync performance, so use the largest value that doesn't cause errors. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Max page size for Groups | Governs the number of records fetched at once from the device/msgraph/Group related APIs. When left empty, it defaults to 999 for efficient performance. Adjust this value only if you encounter synchronization errors, like ('Template output exceeded memory limit.'). You can specify a smaller value to resolve errors, but be aware that reducing the value may impact sync performance, so use the largest suitable page size. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Microsoft Exchange | Group Assigned by FDP |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Enable Microsoft Exchange | Enable Microsoft Exchange. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Admin Domain | Microsoft Exchange admin domain used to authenticate. |
|