|
|
| Technical Rating: |  |
| | | |
| |
|
| Published Date : 04 Mar 2014
Last Updated : 10 Apr 2024
Content Ref: NWS3442877
|
|
RM Cloud Service Delivery can assist you with your Microsoft® 365™ federation. For further information, please speak to your Sales representative on 01235 645 316 or email getintouch@rm.com, quoting this article. |
This document gives answers to some of the common questions asked regarding the process of federating your Microsoft 365™ domain to RM Unify and also the provisioning of your Microsoft 365 accounts.
Note: If you have purchased RM Unify with the Microsoft 365 connector, RM can only provide support for the process of federating your Microsoft 365 domain and also support for the initial provisioning of your user accounts from RM Unify into Microsoft 365. Additional support for the administration and management of Microsoft 365 (Exchange Online, SharePoint® Online, Teams, OneDrive®, additional licensing, tenancy management etc.) can be purchased separately. For more information on Microsoft 365 support services, please visit this link. |
What does federating mean?
|
| When we talk about federating Microsoft 365 to RM Unify, we are talking about allowing RM Unify the permission to provision and manage user accounts in Microsoft 365. From your local Active Directory (AD), user accounts will be provisioned into RM Unify via AD Sync and then on to Microsoft 365. Changes made to the AD account will be synchronised to RM Unify and then passed onwards to Microsoft 365 because of the federation. Where you have chosen MIS Sync in Create mode, accounts will be provisioned when added to your school's MIS, and de-provisioned when removed. |
| In the context of Microsoft 365, a tenancy is the name given to the Microsoft 365 site (sometimes called the 'service domain') which may contain a single domain or multiple domains. Any number of the domains in the tenancy can be federated or unfederated. For example, you could create the tenancy buttercup.onmicrosoft.com which contains the domains buttercupinfants.sch.uk and buttercupjunior.sch.uk. |
Can I also use Azure AD Connect with RM Unify?
|
When a Microsoft 365 domain is federated to RM Unify, as well as the authentication of your users, the control of the user and group objects in Microsoft Azure AD is handed to RM Unify. RM Unify becomes (and can only be) the sole identity provider and manager of those objects.
Therefore, the installation of Azure AD Connect and the linking of it to an RM Unify federated Microsoft 365 domain is not supported. |
What are the Microsoft system requirements for Microsoft 365?
|
The statement from Microsoft is:
"For the best experience using Microsoft 365, we recommend that you always use the latest browsers, Office clients and apps. We also recommend that you install software updates when they become available."
More information can be found here. |
Will allocating the Microsoft 365 Mail tile restrict my users to email only?
|
| No. The RM Unify tiles for Microsoft 365 allow the administrator to provide direct links to the main elements of Microsoft 365: Mail, Calendar, People, OneDrive, Office Download, and School Site. Accessing Microsoft 365 via any one of these tiles will not prevent the user from traversing the Microsoft 365 site in its entirety. |
Which attributes are passed to the Microsoft 365 account?
|
The following RM Unify attributes are passed to a user's Microsoft 365 account:
| RM Unify attribute |
Destination Microsoft 365 attribute |
| First name |
First name |
| Last name |
Last name |
| Display name |
Display name |
| Identity GUID |
ImmutableID |
| Email address |
User name (User Principal Name) |
| RM Unify scope name and DfE code |
Department e.g. UnifySchool (0000000) |
| School DfE code |
Street address e.g. 0000000 |
| User role |
Title (Job Profile) e.g. Student |
| Year of entry |
Office |
|
Do passwords synchronise between RM Unify and Microsoft 365?
|
No, there is no passing, or synchronising, of passwords between RM Unify and Microsoft 365 because this is not needed with federation.
When Microsoft 365 is federated to RM Unify, it is RM Unify which authenticates your login and passes an authentication token to Microsoft 365 in order to allow access to your account (this is single sign-on, or SSO). Microsoft 365 itself does not know, and does not need to know, your password.
When configuring a mail client with your Microsoft 365 credentials, you enter your Microsoft 365 email address and your RM Unify password. Again, it is RM Unify which authenticates your login and passes a token to Microsoft 365 in order to allow your mail client access to your Microsoft 365 mailbox.
Although an administrator may be able to reset the password of a federated user using the Microsoft 365 Admin Centre, the user's password held by RM Unify takes precedence. The user will not be able to authenticate to Microsoft 365 services unless they use their RM Unify password.
Additionally, a federated user will not be able to change their own password from within Microsoft 365 and instead they will see the following message: "Your organisation doesn't allow you to change your password on this site. Please change your password according to the method recommended by your organisation". |
How do I change an RM Unify/Microsoft 365 username?
|
For a school using RM Unify AD Sync, the user's username in RM Unify is synchronised from the local AD. So, when the username is changed in the local AD, this will flow through RM Unify and update the username there. It will also update the Unify user's linked Microsoft 365 account assuming no over-ride has been put in place. For manually created, or MIS-provisioned RM Unify accounts, the RM Unify admin can rename accounts within the Management Console.
Note: Microsoft 365 retains the old email address as an alias so that the user will continue to receive email sent to the old address as well. |
What happens when the RM Unify user is deleted?
|
Users store important resources in shared spaces in Microsoft 365 and an administrator may wish to re-distribute or move these resources instead of losing them. With this in mind, when an RM Unify account is deleted the Microsoft 365 will initially be unlicensed, not actually deleted. Whilst in this state the account is inaccessible, with the mailbox/OneDrive content being deleted by standard Microsoft 365 processes after 30 days (any content added by the user to the domain's SharePoint site will remain). The account itself can be manually deleted from the Microsoft 365 Admin Centre after the 30-day expiry if desired.
Where the RM Unify account has remained deleted for more than nine months, it will be permanently deleted by an automated RM Unify housekeeping process, and this will also delete the linked Microsoft 365 account. More information on this GDPR led process here. |
What happens when the RM Unify account is disabled?
|
| When an RM Unify account is disabled (for example, it is disabled on the network, or is removed from the AD group used by RM Unify AD Sync), then the Microsoft 365 account can no longer be accessed via a browser login to RM Unify. However, access to a Microsoft 365 account via desktop Outlook, or via a mobile device or app, which has previously been granted access via a security (refresh and access) token, could continue for a period after the disabling of the RM Unify account depending on how your Microsoft 365 tenancy is configured. Microsoft provide advice on how to configure the access token lifetime, the maximum period of refresh token inactivity before revocation and how to actively revoke tokens, in this Azure AD tech article - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes. As a Microsoft 365 administrator, removing all licences from the Microsoft 365 account will prevent access to the account and will delete all data (mailbox, OneDrive etc.) in 30 days. |
How do I identify unlicensed users in Microsoft 365?
|
| By logging on to the Microsoft 365 admin centre as a global administrator, you can filter your users using the 'Unlicensed users' option from the drop-down menu (see image below). |
Can I manually license users directly in Microsoft 365?
|
A Microsoft 365 administrator with the appropriate rights can manually assign and remove licences to RM Unify provisioned accounts, by using the 'Microsoft 365 admin center'. RM Unify will continue to ensure that live/active RM Unify users have licensed Microsoft 365 accounts but will not change any existing licence assignments; RM Unify simply checks for the presence of 'any' valid Student or Faculty licence.
Additionally, it is possible for an RM Unify admin to opt out of RM Unify licensing for Microsoft 365. Please see TEC7711832 in the Other Useful Articles section below.
Please note, however, that according to the Microsoft Qualified Educational User Definition (EMEA), only matriculated (i.e. enrolled) students and employed staff are eligible for the free (unlimited) educational licences:
"The following are eligible to acquire Microsoft Academic Edition (AE) products in the programs indicated and are defined as qualified educational users. Microsoft reserves the right to review the status of any customer or proposed customer as a qualified educational user." "Students Full and Part Time Matriculated Students of an Educational Institution as defined in section A(i) and Full Time Matriculated Students of an Education Institution as defined in section A(ii)." "Faculty and Staff Full and Part Time Faculty and Staff of an Educational Institution as defined in Section A(i) above."
In short, only staff and students working at or attending the school are entitled to a free Microsoft 365 educational licence. |
How do I configure my mobile device to access Microsoft 365?
|
| Microsoft have provided instructions for configuring; Android, iPhone/iPad, Chromebook, Surface Pro and other Windows devices in this article. |
How do I change the time zone in the Outlook Web App?
|
- Log on to RM Unify and click the Mail tile on your Launch Pad.
- Once the Outlook Web App has opened, click on your name (top right) and select My Account.
- Select the Setting option on the left, followed by 'Language and time zone'.
- Change the 'Current time zone' to the correct value.
- Click Save.
Alternatively, you can connect to Microsoft 365 Exchange Online via PowerShell to set the time zone in bulk using this article. |
How do I configure Outlook to connect to my Microsoft 365 email?
|
Page 19 of the 'Administrator's Guide - Microsoft 365 Outlook web app' contains the required instructions. For more information, refer to DWN3442166 in the Other Useful Articles section below.
If you are configuring Outlook clients to use Microsoft 365 accounts following the decommissioning of your local (on-premises) Exchange Server, please refer to TEC4201760 in the Other Useful Articles section below. |
How do I troubleshoot connectivity or performance issues with my Outlook client and Microsoft 365?
|
To assist you with troubleshooting any Outlook client connection, performance, or log in issues with Microsoft 365, Microsoft have the following support article
Also of use is the 'Microsoft Support and Recovery Assistant for Microsoft 365' tool, which can be downloaded here. |
Are there limitations on email size, number of recipients etc. in Microsoft 365?
|
Full details of the Exchange Online Limits of Microsoft 365 can be found in this article. Please also bear in mind:
- The limits applied to a Microsoft 365 organisation may differ depending on how long the organisation has been enrolled in the service. When a limit is changed in the Microsoft datacenters, it can take some time to apply the change to all existing customers.
- You can't modify most of these limits, but you and your users should be aware of them.
- These limits apply to both internal and external recipients.
|
Can I retain my onsite Exchange server after federating Microsoft 365 to RM Unify?
|
| This type of configuration is known as mixed hybrid mode and is currently not supported by RM. |
Can I configure Microsoft 365 to send emails from other software/hardware?
|
Yes, this is also known as SMTP submission, direct send, or SMTP relay. Microsoft provides three options in their article: How to set up a multifunction device or application to send email using Microsoft 365 or Office 365.
| Option |
Description |
| Option 1* |
Authenticate your device or application directly with a Microsoft 365 or Office 365 mailbox and send emails using SMTP AUTH client submission. |
| Option 2 |
Send emails directly from your printer or application to Microsoft 365 or Office 365 (direct send). |
| Option 3 |
Configure a connector to send emails using Microsoft 365 or Office 365 SMTP relay. |
*Please note: Option 1 (SMTP authentication) is blocked in the RM Unify datacentre for RM Unify customers and hence greyed out. See TEC9038776 in the Other Useful Articles section below for more detailed information. As such, only Option 2 or Option 3 are viable options for you on the domain federated to RM Unify.
Additionally, SMTP authentication is disabled by default for Microsoft 365 tenancies created after January 2020, affecting all domains in a tenancy. This can be enabled per-mailbox, but RM Unify will continue to block SMTP authentication on the federated domain. If your tenancy was created prior to January 2020, your Microsoft 365 global admin may have manually disabled SMTP authentication in your tenancy entirely, i.e. for all domains, whether federated to RM Unify or not. |
Can I use Google Workspace and Microsoft 365 at the same time with RM Unify?
|
Yes, Google Workspace and Microsoft 365 can both be federated to RM Unify, whether to separate domain names or the same domain name. If using the same domain, email should only be configured for use with one cloud service (Microsoft 365/Google Workspace) or the other, dependent on your MX record configuration.
For more information, please refer to the following articles in the Other Useful Articles section below:
- TEC4945314: Supported configurations when federating your RM Unify establishment to Google Workspace and Microsoft 365.
- TEC4904117: Unable to match existing Google Workspace accounts to RM Unify when Microsoft 365 is already installed.
|
Can I access Microsoft Teams via RM Unify?
|
Yes, using RM Unify MIS group sync, you can provision Microsoft 365 education classes based on your MIS groups. Admins and staff can then use these classes to create class teams in Microsoft Teams. Future changes in membership of your MIS group are synced to RM Unify and onward to the education class, so your class team membership will always remain up-to-date.
For advice and instructions, see TEC7627933 and TEC7296151 in the Other Useful Articles section below. |
What is Windows® PowerShell® for and how do I use it?
|
A Microsoft 365 administrator can complete most configuration and maintenance tasks from the 'Microsoft 365 admin center', available when they log on to Microsoft 365. More advanced tasks require the use of Windows Azure™ Active Directory module for Windows PowerShell.
This command line tool is installed to your local computer and allows you to make a secure, remote connection to your Microsoft 365 tenancy. For more information, please follow this link. |
One or more users cannot access Microsoft 365 - what basic diagnostics can I do?
|
- Ensure that the user can log on to RM Unify via a browser using their RM Unify username and their email address. This will prove their account has been fully created.
- If the user sees an error on the Launch Pad, it may be that Microsoft 365 has yet to provision the account - depending on the load on Microsoft's services, account provisioning can take anywhere between five to fifteen minutes, or longer.
- Does the Microsoft 365 account have the appropriate licences?
- Please search our Knowledge Library using your specific symptoms for more detailed diagnostic help.
|
|
|
If this article has not helped provide a solution then it is also possible to
log a call... |
| |
Document Keywords: faq, faqs, o365, federate, 365, unify, FAQ for Microsoft Office 365 when federated to RM Unify, deleted, hard delete, hard-delete, hard-deletes, hard deletes, teams, classes, edu classes, Google Workspace, NWS3442877, m365 |
|
|
Other Useful Articles
Top of page