Target Directory Configuration

About Target Directory

Target Directory is the user/group directory used for authentication when a user runs a search query.

  • For example, if search UI expects an Active Directory user when logging in, then Active Directory must be configured.
  • Related settings can be found on a separated tab of configuration page.
  • Currently three types of target directories are supported:
    • Active Directory
    • Azure Active Directory
    • Microsoft Search Target Directory (to be used when indexing with Microsoft Search Target)
    • You can also select None if you do not wish to use a target directory.

Configuring Active Directory

Select Active Directory from the drop-down list and configure the following settings:

  1. In the Active Directory Server field, enter the Host name or IP address of Active Directory server. Optionally, you can also enter the port number if it is different than the default port (389).
  2. From the Authentication mode drop-down list, select your desired mode of authentication:
    • User Service Account: Enter the application pool or service account that is used to authenticate. This account was specified during your Connectivity Hub installation. This mode is supported only if that account is a domain account.
    • Specify User Account: Enter any user name and password that you want to use for authentication.
  3. In the Access Method drop-down list, select your access method for your Active Directory server(s):
    • LDAP: This is the default protocol that Connectivity Hub uses to communicate with Active Directory.
    • Global Catalog: If you are using multiple domain controllers, then a specific one can be a "global catalog server" that contains cached information from all other controllers. If configured, this options must be selected and the server must be used as a global catalog.
  4. In the Root Domain field, specify the domain that Active Directory users and groups will be discoverable to Connectivity Hub. For example, if root domain is set to "department1.mydomain.com", then users and groups under "department2.mydomain.com" will be unknown to Connectivity Hub.
  5. In the Content Owner field, enter the fully qualified domain name for a user that has the permissions to see any items in the search index. This domain name must be in the following format: mydomain.com\Administrator, a domain name in the format MYDOMAIN\Administrator is not allowed.
  6. Click Save.

Configuring Azure Active Directory

Azure Application Permissions

An Azure application must be configured and granted the following permissions for the Graph API:

  • Member.Read.Hidden
    Read all hidden memberships
  • GroupMember.Read.All
    Read group members
  • Directory.Read.All
    Read users and groups
  • User.Read.All
    Read all users' full profiles

Target Directory configuration

Select Azure Active Directory from the drop-down list and configure the following settings:

  1. In the Azure Active Directory Tenant field, enter the tenant name in the following format: tenantName.onmicrosoft.com.
  2. In the Client ID field, enter the ID of the application that is registered on the tenant. This ID is used to get Azure Active Directory user and group data.
  3. In the Client Secret field, enter the client secret key of the application that is registered on the tenant. This key is used to get Azure Active Directory user and group data.
  4. In the Authority Endpoint field, specify the URL for the authority endpoint.
  5. In the Graph Endpoint field, specify the URL for the Microsoft Graph endpoint.
  6. In the Additional Properties to Load field, enter a list of additional properties loaded for users and groups when performing a security sync or a crawl. By default, Connectivity hub loads the following properties for users and groups:
    • Id
    • DisplayName
    • Mail
    • OnPremisesSecurityIdentifier
    • AccountEnabled
    • DeletedDateTime
    • UserPrincipalName
  7. In the Content Owner field, enter the fully qualified domain name for a user that has the permissions to see any items in the search index. This domain name must be in the following format: contentOwner@myDomain.onmicrosoft.com.
  8. Click Save.

Configuring Microsoft Search Directory

When to use this directory

Configure this target directory if you are indexing your content with the Microsoft Target. This directory will allow the creation and synchronization of the connector groups.

Restrictions:

If you are using SmartHub as a search center, the Microsoft Search directory will not be available. You must use the Azure target directory instead.

Limitations:

The Microsoft Search Target Directory only support one-to-one relationships. This means that a content source can only be related to a single connection and master security connections are not supported.

Azure Application Configuration

You must have a Microsoft Azure application registered, configured, and granted the appropriate permissions for the Graph API. To do so, follow the instructions listed on the Microsoft Target page. You can apply all the necessary permissions and use the same app registration parameters for both the Microsoft Search target and Microsoft Search target directory configuration in a single Microsoft Azure application.

Target Directory configuration

Select Microsoft Search Directory from the drop-down list and configure the following settings:

  1. In the Azure Active Directory Tenant field, enter the tenant name in the following format: tenantName.onmicrosoft.com.
  2. In the Client ID field, enter the ID of the application that is registered on the tenant. This ID is used to get Azure Active Directory user and group data.
  3. In the Client Secret field, enter the client secret key of the application that is registered on the tenant. This key is used to get Azure Active Directory user and group data.
  4. In the Authority Endpoint field, specify the URL for the authority endpoint.
  5. In the Graph Endpoint field, specify the URL for the Microsoft Graph endpoint.
  6. In the Additional Properties to Load field, enter a list of additional properties loaded for users and groups when performing a security sync or a crawl. By default, Connectivity hub loads the following properties for users and groups:
    • Id
    • DisplayName
    • Mail
    • OnPremisesSecurityIdentifier
    • AccountEnabled
    • DeletedDateTime
    • UserPrincipalName
  7. In the Content Owner field, enter the fully qualified domain name for a user that has the permissions to see any items in the search index. This domain name must be in the following format: contentOwner@myDomain.onmicrosoft.com.
  8. Click Save.

Because the same Microsoft connection will be used to store your groups and your content, make sure to completely prepare your content for indexing before running the Security Sync task. In order to index secured content with Microsoft Search you should:

  1. Create your connection
    1. Under the Security:Directory tab, be sure to check Create security groups.
    2. If checked, missing security groups are created in the target directory during Security Sync.
  2. Create your content and map it to your Microsoft Search target.
  3. Run the Datatypes task.
  4. Run the Datastore load task.
  5. Review metadata settings and make sure your schema is compliant with the Microsoft search restrictions.
  6. Run Security Sync task.
  7. Run the Content synchronization task.