Azure Driver exception: Add-DistributionGroupMember

Hi

I have Azure AD driver syncronizing Users and Group memberships to Cloud.

I have problem assinging group membership to Mail enabled security group.
When I add Entitlement to user through role event leaves driver as it should, but returns an exception

[07/16/19 14:26:38.392]:Azure AD Driver ST:Remote Interface Driver: Sending...
[07/16/19 14:26:38.393]:Azure AD Driver ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.7.1.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<association>a54f2e28-370c-4510-9c74-9c84ef746a03</association>
<modify-attr attr-name="members">
<add-value>
<value association-ref="dd040518-729f-427f-be70-90f6a81fe964" type="dn">\VAULT-TREE\vault\data\Users\user1</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[07/16/19 14:26:38.399]:Azure AD Driver ST:Remote Interface Driver: Document sent.
[07/16/19 14:26:38.399]:Azure AD Driver ST:Remote Interface Driver: Waiting for receive...

[07/16/19 14:26:42.818]:Azure AD Driver ST:Remote Interface Driver: Received
[07/16/19 14:26:42.820]:Azure AD Driver ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20180222_0642" instance="Azure AD Driver" version="5.1.0.0">Identity Manager Driver for Azure AD and Office 365</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
com.novell.nds.dirxml.driver.azure.exceptions.ChannelException: Add-DistributionGroupMember
</output>
</nds>
[07/16/19 14:26:42.827]:Azure AD Driver ST:Remote Interface Driver: Received command: SUBSCRIBER REPLY(10).
[07/16/19 14:26:42.828]:Azure AD Driver ST:Restoring operation data to output document

 

Azure Driver version is 5.1.0.0
IDM version is  4.7.1

User IDM in Azure AD have Global Administrator and Exchange Administrator roles

Driver is capable handling User provisioning and all attributes, Licences, maintaining Normal Security Groups, but not Mail enabled Security groups which Customer need for assigning Calendar rights.

What could be the reason and where to look at ?

-- Vellu

  • Below are Exchange service and Remoteloader logs:

    Looks that process gets DirXML: [07/16/19 14:26:43.09]: TRACE: Azure AD Driver_Exchange: Response code and message: 400 Add-DistributionGroupMember

    from POST to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Member

    Could this be rights problem or should I update Azure AD driver to 5.1.1.0?


    in Exchange Service Log:


    [07/16/2019 14:26:42.693] company.onmicrosoft.com – Invocation: Completed

    [07/16/2019 14:26:42.693] company.onmicrosoft.com – Invoking: Add-DistributionGroupMember
    Identity: MailEnabledSecurityGroup-Test20190716110619
    Member: dd040518-729f-427f-be70-90f6a81fe964

    And in Remoteloader Log:
    DirXML: [07/16/19 14:26:38.68]: TRACE: Remote Loader: Received
    DirXML: [07/16/19 14:26:38.68]: TRACE:
    <source>
    <product edition="Advanced" version="4.7.1.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>

    <association>a54f2e28-370c-4510-9c74-9c84ef746a03</association>
    <modify-attr attr-name="members">
    <add-value>
    <value association-ref="dd040518-729f-427f-be70-90f6a81fe964" type="dn">\VAULT-TREE\vault\data\Users\user1</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    DirXML: [07/16/19 14:26:38.68]: TRACE: Remote Loader: Received command: SUBSCRIBER EXECUTE(4).
    DirXML: [07/16/19 14:26:38.68]: TRACE: Remote Loader: Calling SubscriptionShim.execute()
    DirXML: [07/16/19 14:26:38.68]: TRACE:
    <source>
    <product edition="Advanced" version="4.7.1.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>

    <association>a54f2e28-370c-4510-9c74-9c84ef746a03</association>
    <modify-attr attr-name="members">
    <add-value>
    <value association-ref="dd040518-729f-427f-be70-90f6a81fe964" type="dn">\VAULT-TREE\vault\data\Users\user1</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    DirXML: [07/16/19 14:26:38.68]: TRACE: Azure AD Driver: AZSubscriber.execute()
    DirXML: [07/16/19 14:26:38.68]: TRACE: Azure AD Driver: Sending command document to subscriber
    DirXML: [07/16/19 14:26:38.68]: TRACE:
    <source>
    <product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <driver-operation-data class-name="groups" command="query">
    <request method="GET">
    <url-token api-version="?api-version=1.6" association="a54f2e28-370c-4510-9c74-9c84ef746a03"/>
    <header Content-Type="application/json"/>
    <value/>
    </request>
    </driver-operation-data>
    </input>
    </nds>
    DirXML: [07/16/19 14:26:38.68]: TRACE: Azure AD Driver_Azure: sub-execute
    DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberRequest()
    DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: queryHandler
    DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: queryHandler: class-name == 'groups'
    DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: Query: preparing GET to https://graph.windows.net/company.onmicrosoft.com/groups/a54f2e28-370c-4510-9c74-9c84ef746a03?api-version=1.6
    DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: Resetting headers
    DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: Setting the following HTTP request properties:
    Authorization:
    DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: Content-Type:application/json
    DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: OAuth2: Token is valid.
    DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: OAuth2: Token is valid.
    DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: Did a HTTP GET with 0 bytes of data to https://graph.windows.net/company.onmicrosoft.com/groups/a54f2e28-370c-4510-9c74-9c84ef746a03?api-version=1.6
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Azure: Response code and message: 200 OK
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver: Received response document from subscriber
    DirXML: [07/16/19 14:26:38.96]: TRACE:
    <source>
    <product build="20180615_1256" version="1.0.1.1">Identity Manager REST Driver</product>
    <contact>NetIQ Corporation.</contact>
    </source>
    <output>
    <status level="success" type="driver-general">
    <driver-operation-data class-name="groups" command="query" dest-dn="">
    <response method="GET">
    <url-token api-version="?api-version=1.6" association="a54f2e28-370c-4510-9c74-9c84ef746a03"/>
    <header Content-Type="application/json"/>
    {"odata.metadata":"https://graph.windows.net/company.onmicrosoft.com/$metadata#directoryObjects/@Element","odata.type":"Microsoft.DirectoryServices.Group","objectType":"Group","objectId":"a54f2e28-370c-4510-9c74-9c84ef746a03","deletionTimestamp":null,"description":null,"dirSyncEnabled":null,"displayName":"MailEnabledSecurityGroup-Test","lastDirSyncTime":null,"mail":"MailEnabledSecurityGroup-Test@company.onmicrosoft.com","mailNickname":"MailEnabledSecurityGroup-Test","mailEnabled":true,"onPremisesDomainName":null,"onPremisesNetBiosName":null,"onPremisesSamAccountName":null,"onPremisesSecurityIdentifier":null,"provisioningErrors":[],"proxyAddresses":["SMTP:MailEnabledSecurityGroup-Test@company.onmicrosoft.com"],"securityEnabled":true}
    </response>
    </driver-operation-data>
    </status>
    </output>
    </nds>
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver: Sending command document to subscriber
    DirXML: [07/16/19 14:26:38.96]: TRACE:
    <source>
    <product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <driver-operation-data class-name="Groups" command="query">
    <request method="GET">
    <url-token association="a54f2e28-370c-4510-9c74-9c84ef746a03"/>
    <header Content-Type="application/json"/>
    <value/>
    </request>
    </driver-operation-data>
    </input>
    </nds>
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: sub-execute
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberRequest()
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: queryHandler
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: queryHandler: class-name == 'Groups'
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: Query: preparing GET to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: Resetting headers
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: Setting the following HTTP request properties:
    Authorization:
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: Content-Type:application/json
    DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: Did a HTTP GET with 0 bytes of data to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03
    DirXML: [07/16/19 14:26:40.18]: TRACE: Azure AD Driver_Exchange: Response code and message: 200 OK
    DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberResponse()
    DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver: Received response document from subscriber
    DirXML: [07/16/19 14:26:40.19]: TRACE:
    <source>
    <product build="20180615_1256" version="1.0.1.1">Identity Manager REST Driver</product>
    <contact>NetIQ Corporation.</contact>
    </source>
    <output>
    <status level="success" type="driver-general">
    <driver-operation-data class-name="Groups" command="query" dest-dn="">
    <response method="GET">
    <url-token association="a54f2e28-370c-4510-9c74-9c84ef746a03"/>
    <header Content-Type="application/json"/>
    {"Name":"MailEnabledSecurityGroup-Test20190716110619","objectId":"a54f2e28-370c-4510-9c74-9c84ef746a03","Alias":"MailEnabledSecurityGroup-Test","Description":"testataan kalenterioikeuden antamista","DisplayName":"MailEnabledSecurityGroup-Test","DynamicProperties":[{"Key":"SamAccountName","Value":"MailEnabledSecurityGroup-Test2019071611061957650-265146755"},{"Key":"BypassNestedModerationEnabled","Value":false},{"Key":"IsDirSynced","Value":false},{"Key":"ManagedBy","Value":["admin"]},{"Key":"MemberJoinRestriction","Value":"Closed"},{"Key":"MemberDepartRestriction","Value":"Closed"},{"Key":"MigrationToUnifiedGroupInProgress","Value":false},{"Key":"ReportToManagerEnabled","Value":false},{"Key":"ReportToOriginatorEnabled","Value":true},{"Key":"SendOofMessageToOriginatorEnabled","Value":false},{"Key":"AddressListMembership","Value":["\\All Groups(VLV)","\\All Recipients(VLV)","\\Groups(VLV)","\\Offline Global Address List","\\All Distribution Lists","\\Default Global Address List"]},{"Key":"ArbitrationMailbox","Value":"SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}"},{"Key":"OrganizationalUnit","Value":"eurpr05a007.prod.outlook.com/Microsoft Exchange Hosted Organizations/company.onmicrosoft.com"},{"Key":"ExternalDirectoryObjectId","Value":"a54f2e28-370c-4510-9c74-9c84ef746a03"},{"Key":"HiddenFromAddress
    DirXML: [07/16/19 14:26:40.19]: ListsEnabled","Value":false},{"Key":"LegacyExchangeDN","Value":"/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=118af26918d445ff9881c17ec5724122-KalenteriOi"},{"Key":"MaxSendSize","Value":"Unlimited"},{"Key":"MaxReceiveSize","Value":"Unlimited"},{"Key":"ModerationEnabled","Value":false},{"Key":"PoliciesExcluded","Value":["{26491cfc-9e50-4857-861b-0cb8df22b5d7}"]},{"Key":"EmailAddressPolicyEnabled","Value":false},{"Key":"RecipientType","Value":"MailUniversalSecurityGroup"},{"Key":"RecipientTypeDetails","Value":"MailUniversalSecurityGroup"},{"Key":"RequireSenderAuthenticationEnabled","Value":true},{"Key":"SendModerationNotifications","Value":"Always"},{"Key":"WindowsEmailAddress","Value":"MailEnabledSecurityGroup-Test@company.onmicrosoft.com"},{"Key":"UserPrincipalName","Value":"MailEnabledSecurityGroup-Test20190716110619"},{"Key":"Id","Value":"MailEnabledSecurityGroup-Test20190716110619"},{"Key":"IsValid","Value":true},{"Key":"ExchangeVersion","Value":"0.10 (14.0.100.0)"},{"Key":"DistinguishedName","Value":"CN=MailEnabledSecurityGroup-Test20190716110619,OU=company.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR05A007,DC=PROD,DC=OUTLOOK,DC=COM"},{"Key":"ObjectCategory","Value":"EURPR05A007.PROD.OUTLOOK.COM/Configuration/Schema/Group"},{"Key":"ObjectClass","Value":["top","group"]},{"Key":"WhenChanged","Value":"16.7.2019 14:06:25"},{"Key":"WhenCreated","Value":"16.7.2019 14:06:20"},{"Key":"WhenChangedUTC","Value":"16.7.2019 11:06:25"},{"Key":"WhenCreatedUTC","Value":"16.7.2019 11:06:20"},{"Key":"ExchangeObjectId","Value":"xxx"},{"Key":"OrganizationId","Value":"EURPR05A007.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/company.onmicrosoft.com - EURPR05A007.PROD.OUTLOOK.COM/ConfigurationUn
    DirXML: [07/16/19 14:26:40.19]: its/company.onmicrosoft.com/Configuration"},{"Key":"Guid","Value":"xxx"},{"Key":"OriginatingServer","Value":"HE1PR05A007DC06.EURPR05A007.PROD.OUTLOOK.COM"},{"Key":"ObjectState","Value":"Changed"}],"EmailAddresses":["SMTP:MailEnabledSecurityGroup-Test@company.onmicrosoft.com"],"PrimarySmtpAddress":null,"Type":"Universal, SecurityEnabled"}
    </response>
    </driver-operation-data>
    </status>
    </output>
    </nds>
    DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver: Sending command document to subscriber
    DirXML: [07/16/19 14:26:40.19]: TRACE:
    <source>
    <product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <driver-operation-data class-name="Groups" command="query-members">

    <url-token/>
    <header Content-Type="application/json"/>
    <value/>
    </request>
    </driver-operation-data>
    </input>
    </nds>
    DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: sub-execute
    DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberRequest()
    DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: customHandler
    DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: customHandler: class-name == 'Groups'
    DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Custom: preparing GET to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Member
    DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Resetting headers
    DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Setting the following HTTP request properties:
    Authorization:
    DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Content-Type:application/json
    DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Did a HTTP GET with 0 bytes of data to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Member
    DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Response code and message: 200 OK
    DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberResponse()
    DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver: Received response document from subscriber
    DirXML: [07/16/19 14:26:40.88]: TRACE:
    <source>
    <product build="20180615_1256" version="1.0.1.1">Identity Manager REST Driver</product>
    <contact>NetIQ Corporation.</contact>
    </source>
    <output>
    <status level="success" type="driver-general">
    <driver-operation-data class-name="Groups" command="query-members" dest-dn="">

    <url-token/>
    <header Content-Type="application/json"/>
    {"GetGroupMembershipResult":[]}
    </response>
    </driver-operation-data>
    </status>
    </output>
    </nds>
    DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver: Sending command document to subscriber
    DirXML: [07/16/19 14:26:40.88]: TRACE:
    <source>
    <product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <driver-operation-data class-name="Groups" command="query-owners">

    <url-token/>
    <header Content-Type="application/json"/>
    <value/>
    </request>
    </driver-operation-data>
    </input>
    </nds>
    DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: sub-execute
    DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberRequest()
    DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: customHandler
    DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: customHandler: class-name == 'Groups'
    DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Custom: preparing GET to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Owner
    DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Resetting headers
    DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Setting the following HTTP request properties:
    Authorization:
    DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Content-Type:application/json
    DirXML: [07/16/19 14:26:40.89]: TRACE: Azure AD Driver_Exchange: Did a HTTP GET with 0 bytes of data to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Owner
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Exchange: Response code and message: 200 OK
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberResponse()
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver: Received response document from subscriber
    DirXML: [07/16/19 14:26:42.14]: TRACE:
    <source>
    <product build="20180615_1256" version="1.0.1.1">Identity Manager REST Driver</product>
    <contact>NetIQ Corporation.</contact>
    </source>
    <output>
    <status level="success" type="driver-general">
    <driver-operation-data class-name="Groups" command="query-owners" dest-dn="">

    <url-token/>
    <header Content-Type="application/json"/>
    {"GetGroupOwnerResult":[{"Name":"admin","objectId":"63eafd22-bfb3-4bbf-9337-b0b3405c39c7"}]}
    </response>
    </driver-operation-data>
    </status>
    </output>
    </nds>
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver: Sending command document to subscriber
    DirXML: [07/16/19 14:26:42.14]: TRACE:
    <source>
    <product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <driver-operation-data class-name="groups" command="query-members">

    <url-token/>
    <header Content-Type="application/json"/>
    <value/>
    </request>
    </driver-operation-data>
    </input>
    </nds>
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: sub-execute
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberRequest()
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: customHandler
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: customHandler: class-name == 'groups'
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: Custom: preparing GET to https://graph.windows.net/company.onmicrosoft.com/directoryObjects/a54f2e28-370c-4510-9c74-9c84ef746a03/members?api-version=1.6
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: Resetting headers
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: Setting the following HTTP request properties:
    Authorization:
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: Content-Type:application/json
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: OAuth2: Token is valid.
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: OAuth2: Token is valid.
    DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: Did a HTTP GET with 0 bytes of data to https://graph.windows.net/company.onmicrosoft.com/directoryObjects/a54f2e28-370c-4510-9c74-9c84ef746a03/members?api-version=1.6
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Azure: Response code and message: 200 OK
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver: Received response document from subscriber
    DirXML: [07/16/19 14:26:42.22]: TRACE:
    <source>
    <product build="20180615_1256" version="1.0.1.1">Identity Manager REST Driver</product>
    <contact>NetIQ Corporation.</contact>
    </source>
    <output>
    <status level="success" type="driver-general">
    <driver-operation-data class-name="groups" command="query-members" dest-dn="">

    <url-token/>
    <header Content-Type="application/json"/>
    {"odata.metadata":"https://graph.windows.net/company.onmicrosoft.com/$metadata#directoryObjects","value":[]}
    </response>
    </driver-operation-data>
    </status>
    </output>
    </nds>
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver: Sending command document to subscriber
    DirXML: [07/16/19 14:26:42.22]: TRACE:
    <source>
    <product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <driver-operation-data class-name="Groups" command="modify-members">

    <url-token/>
    <header Content-Type="application/json"/>
    {"Identity":{"targetobjectId":"dd040518-729f-427f-be70-90f6a81fe964"}}
    </request>
    </driver-operation-data>
    </input>
    </nds>
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: sub-execute
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberRequest()
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: customHandler
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: customHandler: class-name == 'Groups'
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: Custom: preparing POST to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Member
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: Resetting headers
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: Setting the following HTTP request properties:
    Authorization:
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: Content-Type:application/json
    DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: Did a HTTP POST with 70 bytes of data to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Member
    DirXML: [07/16/19 14:26:43.09]: TRACE: Azure AD Driver_Exchange: Response code and message: 400 Add-DistributionGroupMember
    DirXML: [07/16/19 14:26:43.09]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberResponse()
    DirXML: [07/16/19 14:26:43.09]: TRACE: Azure AD Driver: Received response document from subscriber
    DirXML: [07/16/19 14:26:43.09]: TRACE:
    <source>
    <product build="20180615_1256" version="1.0.1.1">Identity Manager REST Driver</product>
    <contact>NetIQ Corporation.</contact>
    </source>
    <output>
    <status level="error" type="driver-general">
    <driver-operation-data class-name="Groups" command="modify-members" dest-dn="">

    <url-token/>
    <header Content-Type="application/json"/>
    <value message="Add-DistributionGroupMember" status="400"/>
    </response>
    </driver-operation-data>
    </status>
    </output>
    </nds>
    DirXML: [07/16/19 14:26:43.09]: TRACE: Remote Loader: SubscriptionShim.execute() returned:
    DirXML: [07/16/19 14:26:43.10]: TRACE:
    <source>
    <product build="20180222_0642" instance="Azure AD Driver" version="5.1.0.0">Identity Manager Driver for Azure AD and Office 365</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    com.novell.nds.dirxml.driver.azure.exceptions.ChannelException: Add-DistributionGroupMember
    </output>
    </nds>
    DirXML: [07/16/19 14:26:43.10]: TRACE: Remote Loader: Sending...
    DirXML: [07/16/19 14:26:43.10]: TRACE:
    <source>
    <product build="20180222_0642" instance="Azure AD Driver" version="5.1.0.0">Identity Manager Driver for Azure AD and Office 365</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    com.novell.nds.dirxml.driver.azure.exceptions.ChannelException: Add-DistributionGroupMember
    </output>
    </nds>
    DirXML: [07/16/19 14:26:43.10]: TRACE: Remote Loader: Document sent.
    DirXML: [07/16/19 14:26:43.10]:
    DirXML Log Event -------------------
    Driver = \VAULT-TREE\vault\services\DriverSet\Azure AD Driver
    Thread = Subscriber
    Level = error
    Message = com.novell.nds.dirxml.driver.azure.exceptions.ChannelException: Add-DistributionGroupMember

  • Document
    https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http

    Says that Add Member needs following rights

    Delegated (work or school account)
    Account with Driver connects
    Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
    Delegated (personal Microsoft account)Not supported.
    Application
    Configured Azure App API
    Group.ReadWrite.All and Directory.ReadWrite.All


    Group.ReadWrite rights were missing from both.. but adding thos and restartin driver didn't solve the problem at least immediatelly. I'll tell in the morning if this helped..

    --vellu

     

  • I opened a SR -since I couldn't solve the problem.

  • Verified Answer

    Solution:
    Powershell command 
    Add-DistributionGroupMember -Identity TestMailEnabledSecurityGroup -Member user@company.fi
    Operation can only be performed by a manager of the group.

    So if group was created manually from Office Admin management. Owner was userid who created the group. So UserID which Driver is using lacked the rights for member management because of this.

    I  tried to add azuread-driver@company.fi from Office management page, but for some reason it didn't allow me to do that..
    instead I ran Powershell command ( as my O365 admin account) 
    Set-DistributionGroup -Identity TestMailEnabledSecurityGroup -ManagedBy azuread-driver@company.fi  -BypassSecurityGroupManagerCheck

    -BypassSecurityGroupManagerCheck was needed, since my Admin account wasn't the existing owner of the group.

    After that Add-DistributionGroupMember / Remove-DistributionGroupMember worked from powershell.
    And management from IDM side roles began to work.

    Kind Regards 

    Veli-Matti