Purpose
The purpose of this policy is to define the guidelines for the initialization and usage of the SUNY Strategic Identity Initiative (SSII) used for university-wide synchronization of user identities amongst Microsoft Tenants. These synced identities are used for enabling access to various SUNY university-wide collaborative applications such as SUNYBlue or Microsoft Teams and to provide a uniform listing of individuals for use in campus e-mail address books.
Scope
This document applies to all SUNY campuses. All campuses are required to ensure that their enrollment is active and properly synchronizing to the SUNY SSII Microsoft tenant to upload user listings. Downloading of listings from the SSII tenant is at the discretion of the individual campus.
Enrollment and Setup
Campuses will first need to complete synchronization from their local directory service (e.g. Active Directory) to Entra ID in the campus’s own Azure tenant. Please see Appendix A for reference links to instructions on connecting common directory services to Azure Entra ID.
Please refer to Appendix B of this document for instructions to set up the integration to the university-wide SSII tenant using the Cloud Connect platform and application registrations in your campuses Azure tenant.
Individual(s) who have the access and permission to complete the following actions in your campus’s Azure tenant will be required for the initial configuration and ongoing maintenance of the synchronization to the SSII tenant:
- View and create Enterprise and Application registrations.
- Apply security permissions to Enterprise and Application registrations.
- Create and delete client access secrets for the Enterprise and Application registrations.
- (recommended) Ability to view and edit Entra ID identities.
Accounts for Synchronization
The following accounts are required to be synchronized to the SSII tenant:
The following accounts must NOT be synchronized to the SSII tenant:
- Students
- Guest accounts.
- Service and resource accounts (e.g., utility accounts, shared mailboxes, conference rooms).
- Duplicative user accounts (e.g. secondary administrative or special access accounts for existing faculty or staff).
- Disabled accounts.
Required Identifiers
The following account properties are required to be included with the synchronization process:
- E-mail Address.
- Company/Campus name.
- Given Name (First Name)
- Surname (Last Name)
- Display Name
- Note: this attribute is for when downloading from the SSII tenant to your campus tenant. It should not be uploaded to the SSII.
- (recommended) SUNY Global ID.
All other account properties are optional.
Recommendations
- Use of an attribute on the campus local account directory that identifies if any account is to be synchronized to the SSID tenant.
- Use of groups on the campus local account directory to be included in the synchronization.
Monitoring and Compliance
The following actions should be scheduled to occur at least every three months:
- Verification synchronization is occurring from the local account directory to Entra ID in the campus tenant.
- Verification synchronization from campus Entra ID in Azure tenant is occurring to university-wide tenant via the Cloud Connect platform.
- Verification that any client secrets for any Enterprise or Application registrations are current and any expired client secrets have been removed
Campus Administrator Listing
It is required that each campus define at minimum a primary and secondary individual responsible for maintenance of the SSII process and at least one of these two individuals is required to have the permission levels required as listed above in the campus Azure tenant.
This listing should be reviewed and verified annually.
The initial listing and any changes should be sent via e-mail to SSIISupport@suny.edu.
Support Information
All support or information requests should be sent to the SSII support group e-mail, SSIISupport@suny.edu.
This guidance can also be found on the System Administration OIT support platform knowledgebase.