The Azure AD Driver is a new addition to the NetIQ family of drivers. The driver is an enhanced version for the Office 365 driver, so the name "Office 365 and Azure Active Directory driver" with the initial version 5.0.0.0.

Introduction:

The Azure AD driver allows you to provision or deprovision users, groups, exchange mailboxes, mail users, roles, and licenses to Azure AD Cloud. The driver can also be configured to integrate with IDM Service for Exchange Online for synchronizing Office 365 attributes. The Azure driver uses a new Windows component called the Exchange Service, which will be explained further in the article.

The high-level driver architecture is as given below:

Image: https://www.netiq.com/documentation/identity-manager-46-drivers/msazure_ad/data/b1ly3x4y.html

Summary:

Let's understand how the Azure AD driver graph implementation is different from the Office 365 driver implementation.

The Windows Azure AD Graph provides programmatic access to Windows Azure Active Directory (AD) through REST API endpoints. Using the Windows Azure AD Graph developers can execute create, read, update, and delete (CRUD) operations on Windows Azure AD objects such as users and groups. In the on-premise world, you would usually programmatically access Windows Server Active Directory by using ADSI or ADO.NET libraries. In the cloud, you programmatically access Windows Azure AD using Windows Azure AD Graph.

• This new driver is now used to connect to REST endpoints exposed by the Windows Azure platform. The driver is able to add, modify, delete, and query users and groups on Windows Azure platform.

• The Azure Active Directory Graph API provides programmatic access to Azure AD through REST API endpoints. Applications can use the Graph API to perform create, read, update, and delete (CRUD) operations on directory data and objects. REST Driver for Azure Active Directory leverages these REST Endpoints to create, update and delete Users and Groups.

The following operations are supported:

• Create a new user in a directory

• Get a user’s detailed properties, such as their groups

• Update a user’s properties, such as their location and phone number, or change their password

• Check a user’s group membership for role-based access

• Disable a user’s account or delete it entirely

• Create a new group in a directory

Many of these operations are already supported via Identity Manager O365 Driver. However REST Driver for Azure would provide following advantages:

• Strengthen IDM driver offerings for cloud.

• Eliminate the need of using a Windows server to setup the driver.

• Leverage the efficient programmatic access provided by Microsoft instead of the existing approach of using PowerShell.

• Provide a change log based publisher channel instead of a cache based one

• Oauth 2.0 Support

This driver implements the following features:

• Support entitlements based provisioning/de-provisioning for Office 365 & Azure AD in a single driver

• Bi-directional attribute/permission sync

• No dependency on a “helper” box for Azure AD environments

• Better Scalability for managing Office 365

• Improved Office 365 license handling capability

• Account tracking & Data collection for both Office 365 & Azure AD

• Upgrade/Migration from Office 365 driver to new driver

• Approach to support Coexistence for AD Driver and AAD Connect

Azure Schema

Directory schema extensions enable application developers to extend the directory and develop richer applications without worrying about the limitations imposed by an external store.

Online Schema fetch
Azure REST Driver would use the exposed query interface by the REST driver to make an HTTP GET query to Azure.

The Azure Schema can be downloaded from the link below:

Download Azure Schema

OAuth 2.0 - Authentication Method Support

OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access.

Instructions for obtaining the Client ID and Client Secret for the Azure AD driver from the Azure cloud portal are in the article https://www.netiq.com/communities/cool-solutions/creating-application-client-id-client-secret-microsoft-azure-old-portal-part-2/

Note: The delete operation on Azure AD requires certain ServicePrincipal settings to be configured using PowerShell. If this is not done the delete would fail with an unauthorized error. To know how to provide permissions see the article https://www.netiq.com/communities/cool-solutions/creating-application-client-id-client-secret-microsoft-azure-new-portal/ in the section Providing rights to your Client ID / application via PowerShell.

Implementation Details for Rest Azure

 

Portability Considerations:

• The Azure Driver is supported from IDM 4.5.5 onwards.

• The driver will run on the local meta-directory server as well as on the remote loader (.Net Remote loader dependency is removed as it was mandatory in Office 365 driver)

External Interface:

• The Rest Driver Utility will be used to make out of band HTTP calls via the rest driver to Azure AD.

Subscriber
To perform operations on users with the Graph API, you send HTTP requests with a supported method (GET, POST, PATCH, PUT, or DELETE) to an endpoint that targets the users resource collection, a specific user, a navigation property of a user, or a function or action that can be called on a user.

Publisher
The Azure AD driver uses the generic REST driver publisher implementation to search for changes on Azure AD. The generic REST driver is configured to run publisher on poll mode. The REST resources that need synchronization are configured in the publisher channel by passing their relevant REST URIs.

The Azure driver maintains the state of Azure AD in the dirxml-DriverStorage attribute.

The Azure AD driver will support 2 modes of operation, you need to decide which mode of operation the driver should run in before deploying the driver to IDV. One driver can run in only one mode on a given server.

Listed below are the 2 driver modes of operations: (Only one package can be selected)

1. Azure AD Cloud Only Entitlements

or

2. Azure AD Hybrid Entitlements

2. Azure AD Hybrid Entitlements Operation Mode in Azure AD

Hybrid mode is a mode in the Azure AD driver, where the Active Directory driver (connected to Active directory server), Microsoft Active Directory Connect and the Azure AD driver are involved / responsible for any user / group events to be synced with the Cloud Application.

Note: In Hybrid mode, Users and groups modification will not be allowed through publisher channel, only subscriber channel operations for graph user and group are allowed i.e. via Active Directory driver only. However in subscriber channel roles and licenses are handled by the Azure AD driver.

Image: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect

Note: For the Azure AD driver to perform in Limited Entitlements Operation Mode, "Azure AD Hybrid Entitlements" package should be selected as shown in the below screen shot



Below are the Prerequisites before installing the Azure AD connect on your server:

Azure AD Connect will help you to integrate the on-premises directories with Azure Active Directory. This allows you to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD.

The DC or member server you will be using as the Azure AD Connect machine in your environment must meet the following minimum specs.

Number of objects in Active Directory

CPU

Memory

Hard drive size

Fewer than 10,000

1.6 GHz

4 GB

70 GB

10,000–50,000

1.6 GHz

4 GB

70 GB

50,000–100,000

1.6 GHz

16 GB

100 GB

For 100,000 or more objects the full version of SQL Server is required

100,000–300,000

1.6 GHz

32 GB

300 GB

300,000–600,000

1.6 GHz

32 GB

450 GB

More than 600,000

1.6 GHz

32 GB

500 GB

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites

For more information see: Azure Documentation: Prerequisites for Azure AD Connect

Download the latest Azure Active Directory Connect using the link below:

https://www.microsoft.com/en-in/download/details.aspx?id=47594

Once Azure AD connect is installed on your server, proceed with further steps to bring up Azure AD driver.

Secure Driver Communication

After selecting the required Azure AD packages, SSL needs to configured for the Azure AD driver which is a mandatory step.

A keystore has to be created and made as trust store (When the remote server is configured to provide server authentication, the path and the name of the keystore file which contains trusted certificates should be provided in the subscriber settings of the driver parameters)

To set up SSL between the driver and Identity Manager Service for Exchange Online, you need to create and import a server certificate into the root certificate store of the Windows server where the service is deployed.

The detailed steps are documented in the official NetIQ Azure AD driver documentation.

The truststore path should be provided while configuring the driver.



Exchange Server Service should be installed on any supported Windows platform if you use Exchange online connection for the driver to perform exchange related operations.

Exchange Service is a Windows component implemented specifically for the communication between Azure AD driver and the Exchange online, which is an alternative way for Windows PowerShell.

There are advantages of using the Exchange service over the Windows PowerShell like Performance and space requirements. The port can be configured for any free available port on the server.

If you have installed the Exchange service using the official NetIQ Azure AD driver documentation, the URL should looks like:

Syntax: https://<ip-addr>:<port>/ExchServer     EX: https://194.99.xx.xx:8987/ExchServer

To check if the Exchange Server Service is running on the installed Windows server copy and paste the URL in any supported browser which should look like the below screenshot, if the Exchange server is running.



After you are done with the Exchange service URL in the driver parameter you can enter the Client ID and Client secret obtained from the Azure portal from your domain, which is clearly documented in one of the articles below:

https://www.netiq.com/communities/cool-solutions/creating-application-client-id-client-secret-microsoft-azure-old-portal-part-2/

or

https://www.netiq.com/communities/cool-solutions/creating-application-client-id-client-secret-microsoft-azure-new-portal/

Provide the Client ID and Client Secret in the driver parameters under Azure AD information section as shown below.



This should help you to understand this new driver to an extent, reading more about the driver in the official NetIQ documentation site will give you even more better understanding about this driver.

Driver Documentation: https://www.netiq.com/documentation/identity-manager-46-drivers/msazure_ad/data/bookinfo.html

The driver can be downloaded from https://dl.netiq.com/Download?buildid=M31KZBwbK6A~

Reference:

For more Azure AD Graph API related reference please visit: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/api-catalog

Currently all the supported operation for users and groups are handled in the initial driver for Azure AD 5.0.0 release

Thanks for reading