Azure AD Driver O365 Licensing Not Working assignLicenses

Hi all, 

Im having an issue with a 4.6 Azure AD Licensing Driver. The driver is configured using an RL server and is working fine for synchronising attributes. 

I have NOT added the Entitlement Package, to deal with licenses as we dont have a UserApp. 

Essentially I am setting the assignLicense value manually in policy.

I have tried different types of value, but get success messages in each case but the liceses dont apply, when I set them using GraphAPI directly it all works. 

What value should be added to the AssignLiceses? Should it be the SKUID, The SKU Name, or GUID. I dont have an environment to check.

(NOTE: Subsequently it looks like the SkuID GUID is needed, but it doesnt seem like the sriver is issuing the POST command. It is doing a couple of GET commands, but doesnt try to assign the licenses)

Some trace here so you can see what I am doing (Only included RL trace, as you can see that the assignLicense Value is being set:

RL Trace Attached

 

 

I have also tried the following values:

<modify-attr attr-name="assignLicense">
<add-value>
<value type="string">"94763226-9b3c-4e75-a931-5c89701abe66"</value>
</add-value>



<modify-attr attr-name="assignLicense">
<add-value>
<value type="string">STANDARDWOFFPACK_FACULTY</value>
</add-value>

<modify-attr attr-name="assignLicense">
<add-value>
adXXXtst:STANDARDWOFFPACK_FACULTY
</add-value>

 

  • I have also now patched to the latest version for 4.6, which is driver version 5.0.2.0

    Attached is the trace. I noticed that you only need to set usageLocation once, hence the error in the last trace. This is the most up to date trace

    Also we haven't installed the Exchange Service. Is the exchange service required to license the users?

  • Exchange service is required for PowerShell commands and the license management is done via REST.  So no, you would not need the Exchange Service for this task per se.

     

    As for the value, I have t odig through some trace samples (don't have access to the system anymore) but I remember thinking the value for a license was 'odd' and not exactly what Iw ould have expected. 

     

  • Hi Geoff,

    Thanks for the prompt response

    It looks like it calls all of the other commands via REST, and I can paste
    them into the Azure graph explorer and they all work.
    https://graphexplorer.azurewebsites.net/#

    It doesnt seem to do the POST one though, and whether thats just do to a
    malformed value Im not sure. It would be great if you could have a look at
    your previous traces.

    In the default driver it uses a ecmaScript command getEntParamField, to
    retrieve the ID from the DirXML-entitlementRef attribute value, which I
    assume must be the GUID.

    Hope that helps!
  • Yes, the ECMA gets the payload value of the EntitlementRef but is it the GUID or something which is not what I expected, which is my memory. I will get to looking at trace in a bit. Got something I am working on.

  • Hi Geoff, you didn't manage to find any traces did you, I have tried just about every value I can think of!
  • So looking at an old trace, I see it in this format;

    <modify-attr attr-name="assignLicense">
    <add-value>
    <value type="string">STANDARDWOFFPACK_FACULTY#0feaeb32-d00e-4d66-bd5a-43b5b12ac82c</value>
    </add-value>

    Which is what I meant by an odd format, the string then a # then the GUID.

    Then another example in the entitlementIMpl that shows the <param> node value:

    {"ID":"STANDARDWOFFPACK_FACULTY#bea4c11e-220a-4e6d-8eb8-8ea15d019f90"}

     

    Hope that helps.

  • Amazing, this looks like its now in the right format......however it looked like it tried to remove the assignment!! 

    .......trace.......

    <source>
    <product edition="Standard" version="4.6.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>

    <association state="associated">8a407133-af2f-493f-9253-534f88ff5300</association>
    <modify-attr attr-name="usageLocation">
    <remove-all-values/>
    <add-value>
    <value type="string">IE</value>
    </add-value>
    </modify-attr>
    <modify-attr attr-name="assignLicense">
    <add-value>
    <value type="string">STANDARDWOFFPACK_FACULTY#94763226-9b3c-4e75-a931-5c89701bcE66</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>

     

     

    which gives.......

     

    <source>
    <product version="5.0.2.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <driver-operation-data class-name="users" command="assignLicense">

    <url-token/>
    <header Content-Type="application/json"/>
    {"addLicenses":[],"removeLicenses":["94763226-9b3c-4e75-a931-5c89701abe66"]}
    </request>
    </driver-operation-data>
    </input>

     

    which in turn, gives......

     

    <source>
    <product build="20170208_1048" version="1.0.0.1">Identity Manager REST Driver</product>
    <contact>NetIQ Corporation.</contact>
    </source>
    <output>
    <status level="error" type="driver-general">
    <driver-operation-data class-name="users" command="assignLicense" dest-dn="">

    <url-token/>
    <header Content-Type="application/json"/>
    {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"User does not have a corresponding license."},"requestId":"ad9be7ba-fcdb-4cb3-a9ab-e72e3603aca5","date":"2019-06-26T13:24:41"}}
    </response>
    </driver-operation-data>
    </status>
    </output>

     

    Which you would expect, that the error is correct, but that means when adding the value, its parsing it and REVOKING rather than adding. 

    I wonder if it needs #1# or something ???

    do you have any more trace at all?

    Cheers

    Chris

     

  • Hi Geoff, 

    After more investigation, the Value is set to 

    <skuPartNumber>#<servicePlanId>

    e.g.

    --To Add KAIZALA_O365_P2 to the A1 Faculty plan.......would be 
    STANDARDWOFFPACK_FACULTY#54fc630f-5a40-48ee-8965-af0503c1386e

    This means that we have to do multiple separate calls to add a license. 

    Is there not a way to assign a plan, like the STANDARDWOFFPACK_FACULTY in its entirety? rather than have to issue lots of commands to add each license? i.e. issue a command for the full collection of licenses?

    Similar question for the removal?

    Cheers

    Chris

  • I THINK that the shim is doing some shenanigans...

    i THINK that when you add a license, the shim MIGHT be looking back to see the entire set of licenses assigned, and generating a add parent license, which includes all of them, and then removes the missing licenses.

     

    I.e. A license at the high level includes all of them.  To ONLY grant one of the 12 sub licenses, you grant the parent and remove 11.  It is an intesnely stupid model as far as I can tell.

    I need to dig deeper in my trace to find you an example, sorry for the slow responses.

  • Hi Geoff

    Yeah I agree about the model, however it does mean that when new licenses come onboard, then you dont have to update your code to reflect the new item, however just makes it so difficult for us! 

    The problem I am now having is that I am unable to find out the combination to send to the API that will add a full plan, and not just a single license within the plan. 

    On the old office365 driver you could just assign the STANDARDWOFFPACK_FACULTY plan. But on this driver it seems you can only assign the 12 subplan licenses. 

    Have you been able to assign the full plan in one command?

    Cheers Chris