Service Provisioning and Deprovisioning Details
Applies to: Office 365
Topic Last Modified: 2014-01-07
The ability of Microsoft Managed Solutions Service Provisioning Provider (MMSSPP) to provision and deprovision objects is described in the following sections.
MMSSPP provisions the following object types from your Customer Forest:
User objects that reside in a source OU of your Customer Forest are provisioned as logon-disabled user objects in the Microsoft Managed Forest. MMSSPP does not provision an identity-only object. The user object must include a mail address in order for the synchronization to occur.
Contact objects that are created in your Customer Forest are provisioned as contact objects in the Managed Forest.
Distribution groups that are created in your Customer Forest are provisioned as distribution groups in the Managed Forest. Your organization is responsible for managing membership in these groups.
Mail-enabled security groups that are created in your Customer Forest (groups with a mail attribute value) are provisioned as security groups in the Managed Forest. Your organization is responsible for managing membership in these groups.
In addition, MMSSPP ensures that all objects that qualify as mail-enabled objects are included in the online address book.
MMSSPP provisions Exchange Online and Lync Online services. It does not synchronize objects or attributes specific to SharePoint Online services. MMSSPP is not required if your organization subscribes only to SharePoint Online.
MMSSPP has the ability to provision services based on a set of conditions such as the presence of the mail attribute or a single explicit rule (for example,
MMSSPP automates provisioning and deprovisioning actions for the following:
User mailboxes. MMSSPP has the ability to automatically provision mailboxes for new users and for resources such as conference rooms. The following rules for automatic provisioning are applied:
Default Provisioning Rule. If specific conditions are true, MMSSPP will provision the mailbox.
Explicit Provisioning Rule. If a specific attribute has a specific value, only then will MMSSPP provision a mailbox (for example,
New-Hire Mailbox Provisioning Rule. This rule is only enabled after all of your on-premises mailboxes are migrated. Once enabled, creating an on-premises mail-enabled user with mail value equal to a proxy having an SMTP domain in the inclusion list will result in MMSSPP provisioning a managed mailbox.
Lync Online users. MMSSPP and the Lync Online auto-provisioning service operate in concert to offer automated per-user provisioning of Lync Online feature entitlements.
|The Office 365 Dedicated & ITAR-support Plans Provisioning Handbook describes scenarios for provisioning all object and service entitlements. The handbook is available on the Customer Extranet site for Lync Online Dedicated & ITAR-support plan customers.|
MMSSPP deprovisions identity objects if the deprovisioning criteria set during the deployment are met. For compliance management reasons, MMSSPP also will block deprovisioning for user accounts placed on litigation hold.
Moving Objects Out of Scope
If you move an identity object out of scope of MMSSPP synchronization, the object will be deprovisioned and all services (if any) will be disconnected. The mailbox object can be reconnected within the default retention period of 30 days. The Lync Online IM profile cannot be reconnected unless the automatic service reconnection (ASR) feature is utilized within the pending deletion threshold for your organization. This threshold is established by your organization and the default is one day. These same principles apply if you delete an identity object. If a logon action disables a user object, there is no effect on the object in the Microsoft Managed Forest.
Explicit Deprovisioning Rules
If you want to remove service entitlements but not delete the identity object completely, you should consult the deprovisioning rules selected for each service at the time of deployment and set the appropriate Exchange Online mailbox type information or Lync Online provisioning attribute values. Setting the Mailbox deprovisioning value (for example,
extenstionaatribute1=removeMSOmailbox) will, for example, deprovision the managed mailbox Litigation Hold Deprovisioning Block.
Litigation Hold Deprovisioning Block
When Litigation Hold is enabled on an Exchange Online mailbox, MMSSPP will not delete the managed object or the Exchange Online mailbox associated with the object. The deletion block applies following your action to delete the on-premises user object, move the on-premises user object out of scope, or set the mailbox deprovisioning string. For all cases, MMSSPP will issue a synchronization error.
MMSSPP supports automatic service reconnection (ASR). This feature enables the reconnection of Office 365 users to their provisioned services, the reconnection of contact or group objects, or the reconnection of Office 365 services to a new object following the creation of the new object within your on-premises environment (for example, when a logon account is moved from one Customer Forest to another). With minimal preliminary work, you can automatically reconnect a user to their Exchange Online mailbox, BlackBerry services, SharePoint Online sites, Lync Online profile, or other provisioned service after the user is moved to another forest.
The automatic service reconnection capability is useful in scenarios where you are performing large forest consolidations or when you must move all your users to a new forest. The reconnection feature is applicable to any typical cross-forest move scenario. If the mailbox of a user object is on litigation hold prior to the move of the object to another domain, litigation hold settings will be re-established when the reconnection action is executed.