VMware Workspace ONE Access – Dynamically Assign Usage Location for Office 365 User Provisioning
In my previous post VMware Workspace ONE Access – Provision Users to Office 365 with License, I described what is necessary, the Usage Location, to automatically and successfully assign an Office 365 license when provisioning users from Workspace ONE Access to Office 365.
This blog post describes the dynamic assignment and usage of the Usage Location between Active Directory, Workspace ONE Access and Office 365.
Based on my previous post around provisioning users to Office 365 with a license from Workspace ONE Access, I was having a conversation with my respected colleague Jesper Alberts about how wonderful it would be to have the Usage Location be dynamically assigned. So, instead of hard coding the Usage Location in the configuration of the Office365 with Provisioning web app, it would be nice to use a variable that points to a user account property that represents the Usage Location, especially in large global enterprises where users may need different Usage Locations.
Well, keep reading to accomplish just that :-).
My Account Creation Flow
Now, before I start, I think it is important to mention what my setup looks like from an account creation perspective. I also have to mention that this in an uncommon one, because most organizations have the Azure AD Connect sync in place. In my setup this isn’t the case. My account creation flow is as follows.
I create my user accounts in Active Directory. These accounts are created/synced to Workspace ONE Access using the Workspace ONE Access Connector. Using the Office365 with Provisioning web app, the user accounts within Workspace ONE Access are provisioned to Office 365.
Choosing the AD User Account Attribute for Usage Location
In Active Directory, I have chosen to use the Country/region user account attribute, because this automatically translates to the ISO 3166-1 alpha-2 two-letter country code standard, which is required for the Usage Location value. For instance, United States translates to US, and (The) Netherlands translates to NL, etc..
Configuring the Country Attribute in Workspace ONE Access
Now that we have decided which attribute to use in Active Directory, we need to make sure that the value for this attribute is synced to Workspace ONE Access for every user. For this we need to login to the Workspace ONE Access Console.
From there, click Identity & Access Management, and click Setup.
Click User Attributes.
Scroll down to the bottom of the page and add a new attribute with the name country and click Save.
Click Manage, and click the Directory for which you want to sync the attribute.
Click Sync Settings.
Click Mapped Attributes.
Make sure the country attribute is mapped to the c attribute, which is the country attribute from Active Directory, and click Save.
Adjust the Office365 with Provisioning Web App
The last step required is configuring the Office365 with Provisioning web app to make sure it uses the country attribute variable.
Open the Catalog tab and click Web Apps.
Select Office365 with Provisioning and click Edit.
Click User Provisioning and click Add Mapping.
For Attribute Name select Usage Location. For Value type ${user.country}. Save all settings for the web app.
During provisioning, the users that are created in Office 365 now automatically get their Usage Location configured, based on the country attribute value in Active Directory (AD –> WS1Access –> Office 365). An Office 365 license will automatically be assigned when enabled within the Office365 with Provisioning web app.
I hope this has been informative. If you have any questions or comments, please reach out on Twitter or LinkedIn.