AzureAD without PowerShell service - Publisher poll

I have AzureAD driver running in hybrid mode, but without powershell service. It is only used to manage group membership in some cloud-only groups.

Although publisher is enabled in driver parameters (polling interval set to 5 minutes), I don't see any calls to GraphAPI in remote loader trace (level set to 99).

Also when looking at some other customer, where we have PowerShell service installed, publisher poll works, but it looks like is implemented using Powershell only, not GraphAPI (calling Get-User or Get-Group with filter on WhenChangedUTC)

So question is, is AzureAD driver able to poll for changes in AzureAD using graph API only?

Kind regards,

Sebastijan

Parents
  • Sebastijan,

    I assume you have tried the latest version of the shim which introduces a new Group membership cache option.

    However, I assume that it would be counter-productive to have two polling cache implementations.

    Assume they went with the "works with everything" one, and that polling happens only via PowerShell.

    Just a guess though.

    Alex

  • So I got permission to upgrade AzureAD driver, and it looks like I now get much more in RL trace (it might be also because of REST driver upgrade, which is requirement for 5.1.4 AzureAD driver).

    So it looks like there is REST call to get updated objects. for each poll, this is called:

    https://graph.windows.net/<tenant>/directoryObjects?api-version=1.6&$filter=isof('Microsoft.DirectoryServices.User')+or+isof('Microsoft.DirectoryServices.Group')&deltaLink={deltaLink-value}

    where {deltaLink-value} is a very long string
    Since driver should manage group memberships, I have fired azure portal and removed one user from AzureAD group.
    On next poll RL noticed change, since response from azure is:

    {
        "odata.metadata": "https://graph.windows.net/<tenant>/$metadata#directoryObjects",
        "aad.deltaLink": "https://graph.windows.net/<tenant>/directoryObjects?deltaLink={deltaLink-value}",
        "value": [{
                "odata.type": "Microsoft.DirectoryServices.DirectoryLinkChange",
                "aad.isDeleted": true,
                "aad.isSoftDeleted": false,
                "objectType": "DirectoryLinkChange",
                "objectId": "00000000-0000-0000-0000-000000000000",
                "deletionTimestamp": null,
                "associationType": "Member",
                "sourceObjectId": "{group ObjectID}",
                "sourceObjectType": "Group",
                "sourceObjectUri": "https:\/\/graph.windows.net\/<tenant>\/groups\/{group ObjectID}",
                "targetObjectId": "{user ObjectID}",
                "targetObjectType": "User",
                "targetObjectUri": "https:\/\/graph.windows.net\/<tenant>\/users\/{user ObjectID}"
            }
        ]
    }

    But looking at rest of RL trace, it looks like this is somehow lost and RL finishes with:
    DirXML: [12/02/21 16:39:03.25]: TRACE:  Remote Loader: Document consists only of state; not sending to remote side
    Btw, driver filter is set to sync group on publisher:
    Any idea why membership change would be ignored/lost?
    Full RL trace from start of poll till point where RL returns empty status:
    DirXML: [12/02/21 16:39:02.73]: TRACE:  Azure AD_Azure: poll
    DirXML: [12/02/21 16:39:02.74]: TRACE:  Azure AD_Azure: Custom: preparing GET to https://graph.windows.net/<tenant>/directoryObjects?api-version=1.6&$filter=isof('Microsoft.DirectoryServices.User')+or+isof('Microsoft.DirectoryServices.Group')&deltaLink={old-deltaLink-value}
    DirXML: [12/02/21 16:39:03.04]: TRACE:  Azure AD_Azure: Date: Thu, 02 Dec 2021 15:39:02 GMT
    DirXML: [12/02/21 16:39:03.04]: TRACE:  Azure AD_Azure: Content-Length: 3224
    DirXML: [12/02/21 16:39:03.04]: TRACE:  Azure AD_Azure: Sending http response with body :- 
    DirXML: [12/02/21 16:39:03.04]: TRACE:  Azure AD_Azure: {"odata.metadata":"https://graph.windows.net/<tenant>/$metadata#directoryObjects","aad.deltaLink":"https://graph.windows.net/<tenant>/directoryObjects?deltaLink={deltaLink-value}","value":[{"odata.type":"Microsoft.DirectoryServices.DirectoryLinkChange","aad.isDeleted":true,"aad.isSoftDeleted":false,"objectType":"DirectoryLinkChange","objectId":"00000000-0000-0000-0000-000000000000","deletionTimestamp":null,"associationType":"Member","sourceObjectId":"{group ObjectID}","sourceObjectType":"Group","sourceObjectUri":"https://graph.windows.net/<tenant>/groups/{group ObjectID}","targetObjectId":"{user ObjectID}","targetObjectType":"User","targetObjectUri":"https://graph.windows.net/<tenant>/users/{user ObjectID}"}]}
    DirXML: [12/02/21 16:39:03.04]: TRACE:  Azure AD_Azure: **********************END*****************************
    DirXML: [12/02/21 16:39:03.04]: TRACE:  Azure AD_Azure: Response code and message: 200 OK
    DirXML: [12/02/21 16:39:03.04]: TRACE:  Azure AD_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
    DirXML: [12/02/21 16:39:03.05]: TRACE:  Azure AD: Received event document from publisher
    DirXML: [12/02/21 16:39:03.21]: TRACE:  <nds dtdversion="3.5" ndsversion="8.x">
    	<source>
    		<product build="20210218_0733" instance="Azure AD_Azure" version="1.1.2.1">Identity Manager REST Driver</product>
    		<contact>NetIQ Corporation.</contact>
    	</source>
    	<input>
    		<driver-operation-data class-name="users" command="poll" event-id="Azure AD_Azure##12111216393##0">
    			<response>
    				<response-header Cache-Control="no-cache" Content-Length="2600" Content-Type="application/json; odata=minimalmetadata; streaming=true; charset=utf-8" DataServiceVersion="3.0;" Date="Thu, 02 Dec 2021 15:34:02 GMT" X-AspNet-Version="4.0.30319" X-Content-Type-Options="nosniff" X-Powered-By="ASP.NET" client-request-id="899498b0-19e9-467e-893d-517f758a0bd8" ocp-aad-diagnostics-server-name="ROOtnPatja+I51Ox0GzTY1+dVozAlU6dltxKlS2m46A=" ocp-aad-session-key="pPql19RBudRcWk8C3oNH1QCtT-cpuggCml2XX2iUUW1RGj2U7B_oxv8BVUG0gBm50dMRlzQ2lgFvjR6p1SJYP8G-kZ1NvDf8VDmXO8J7znptg8opLphf427UWDFMsWfH.l4tQx-HAntj4_-PCfydPE28hGSdpnWskwf8-aX7viK0" request-id="1389dad6-7e04-4fb6-9180-d4c55203ecf9" x-ms-dirapi-data-contract-version="1.6"/>
    				<value>{"odata.metadata":"https://graph.windows.net/<tenant>/$metadata#directoryObjects","aad.deltaLink":"https://graph.windows.net/<tenant>/directoryObjects?deltaLink={deltaLink-value}","value":[{"odata.type":"Microsoft.DirectoryServices.DirectoryLinkChange","aad.isDeleted":true,"aad.isSoftDeleted":false,"objectType":"DirectoryLinkChange","objectId":"00000000-0000-0000-0000-000000000000","deletionTimestamp":null,"associationType":"Member","sourceObjectId":"{group ObjectID}","sourceObjectType":"Group","sourceObjectUri":"https:\/\/graph.windows.net\/<tenant>\/groups\/{group ObjectID}","targetObjectId":"{user ObjectID}","targetObjectType":"User","targetObjectUri":"https:\/\/graph.windows.net\/<tenant>\/users\/{user ObjectID}"}]}</value>
    			</response>
    		</driver-operation-data>
    	</input>
    </nds>
    DirXML: [12/02/21 16:39:03.22]: TRACE:  Azure AD: Updating publisher state for key 'users_deltaLink'.
    DirXML: [12/02/21 16:39:03.22]: TRACE:  Azure AD: Received response document for publisher
    DirXML: [12/02/21 16:39:03.22]: TRACE:  <nds dtdversion="2.0" ndsversion="8.x">
    	<source>
    		<product build="20210513_0455" instance="Azure AD" version="5.1.4.0">Identity Manager Driver for Azure AD and Office 365</product>
    		<contact>NetIQ Corporation</contact>
    	</source>
    	<output>
    		<status level="success"/>
    	</output>
    </nds>
    DirXML: [12/02/21 16:39:03.24]: TRACE:  Azure AD_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
    DirXML: [12/02/21 16:39:03.24]: TRACE:  Azure AD: Received event document from publisher
    DirXML: [12/02/21 16:39:03.24]: TRACE:  <nds dtdversion="3.5" ndsversion="8.x">
    	<source>
    		<product build="20210218_0733" instance="Azure AD_Azure" version="1.1.2.1">Identity Manager REST Driver</product>
    		<contact>NetIQ Corporation.</contact>
    	</source>
    	<input>
    		<init-params>
    			<publisher-state>
    				<users_deltaLink>{deltaLink-value}</users_deltaLink>
    			</publisher-state>
    		</init-params>
    	</input>
    </nds>
    DirXML: [12/02/21 16:39:03.24]: TRACE:  Azure AD: Transaction: Publisher state document is ignored.
    DirXML: [12/02/21 16:39:03.24]: TRACE:  <nds dtdversion="3.5" ndsversion="8.x">
    	<source>
    		<product build="20210218_0733" instance="Azure AD_Azure" version="1.1.2.1">Identity Manager REST Driver</product>
    		<contact>NetIQ Corporation.</contact>
    	</source>
    	<input>
    		<init-params>
    			<publisher-state>
    				<users_deltaLink>{deltaLink-value}</users_deltaLink>
    			</publisher-state>
    		</init-params>
    	</input>
    </nds>
    DirXML: [12/02/21 16:39:03.24]: TRACE:  Azure AD: Received response document for publisher
    DirXML: [12/02/21 16:39:03.24]: TRACE:  <nds dtdversion="2.0" ndsversion="8.x">
    	<source>
    		<product build="20210513_0455" instance="Azure AD" version="5.1.4.0">Identity Manager Driver for Azure AD and Office 365</product>
    		<contact>NetIQ Corporation</contact>
    	</source>
    	<output>
    		<status level="success"/>
    	</output>
    </nds>
    DirXML: [12/02/21 16:39:03.24]: TRACE:  Azure AD_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
    DirXML: [12/02/21 16:39:03.24]: TRACE:  Azure AD: Received event document from publisher
    DirXML: [12/02/21 16:39:03.24]: TRACE:  <nds dtdversion="3.5" ndsversion="8.x">
    	<source>
    		<product build="20210218_0733" instance="Azure AD_Azure" version="1.1.2.1">Identity Manager REST Driver</product>
    		<contact>NetIQ Corporation.</contact>
    	</source>
    	<input>
    		<init-params>
    			<publisher-state>
    				<users_deltaLink>{deltaLink-value}</users_deltaLink>
    			</publisher-state>
    		</init-params>
    	</input>
    </nds>
    DirXML: [12/02/21 16:39:03.24]: TRACE:  Azure AD: Transaction: Publisher state document is ignored.
    DirXML: [12/02/21 16:39:03.24]: TRACE:  <nds dtdversion="3.5" ndsversion="8.x">
    	<source>
    		<product build="20210218_0733" instance="Azure AD_Azure" version="1.1.2.1">Identity Manager REST Driver</product>
    		<contact>NetIQ Corporation.</contact>
    	</source>
    	<input>
    		<init-params>
    			<publisher-state>
    				<users_deltaLink>{deltaLink-value}</users_deltaLink>
    			</publisher-state>
    		</init-params>
    	</input>
    </nds>
    DirXML: [12/02/21 16:39:03.24]: TRACE:  Azure AD: Received response document for publisher
    DirXML: [12/02/21 16:39:03.24]: TRACE:  <nds dtdversion="2.0" ndsversion="8.x">
    	<source>
    		<product build="20210513_0455" instance="Azure AD" version="5.1.4.0">Identity Manager Driver for Azure AD and Office 365</product>
    		<contact>NetIQ Corporation</contact>
    	</source>
    	<output>
    		<status level="success"/>
    	</output>
    </nds>
    DirXML: [12/02/21 16:39:03.24]: TRACE:  Azure AD_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
    DirXML: [12/02/21 16:39:03.25]: TRACE:  Remote Loader: Received document from publication shim.
    DirXML: [12/02/21 16:39:03.25]: TRACE:  <nds dtdversion="2.0" ndsversion="8.x">
    	<source>
    		<product build="20210513_0455" instance="Azure AD" version="5.1.4.0">Identity Manager Driver for Azure AD and Office 365</product>
    		<contact>NetIQ Corporation</contact>
    	</source>
    	<input>
    		<init-params>
    			<publisher-state>
    				<users_deltaLink>{deltaLink-value}</users_deltaLink>
    			</publisher-state>
    		</init-params>
    	</input>
    </nds>
    DirXML: [12/02/21 16:39:03.25]: TRACE:  Remote Loader: Writing driver state to file
    DirXML: [12/02/21 16:39:03.25]: TRACE:  Remote Loader: State document:
    DirXML: [12/02/21 16:39:03.25]: TRACE:  <init-params>
    	<publisher-state>
    		<users_deltaLink>{deltaLink-value}</users_deltaLink>
    	</publisher-state>
    </init-params>
    DirXML: [12/02/21 16:39:03.25]: TRACE:  Remote Loader: Document consists only of state; not sending to remote side
    DirXML: [12/02/21 16:39:03.25]: TRACE:  Remote Loader: Returning to publisher:
    DirXML: [12/02/21 16:39:03.25]: TRACE:  <nds dtdversion="4.0" ndsversion="8.x">
    	<output>
    		<status level="success"/>
    	</output>
    </nds>
    
    Full disclosure: some RL trace lines between request to AzureAD (Azure AD_Azure: Custom: preparing GET to https://...) and response (Azure AD_Azure: {"odata.metadata...) were deleted, since they are just requesting oauth token, setting headers and similar, so irrelevant, since result is received from Azure, just later lost/ignored.
  • Hi Sebastjan,

    I'm not sure if this query will be able to detect changes in the groups.

    GET to graph.windows.net/.../directoryObjects

    According to the MS documentation, for detect changes in the groups, it supposed to have different format:

    GET graph.microsoft.com/.../delta

Reply Children
No Data