Simplified guide to understand new features implemented in Office 365 and Azure AD 5.0 Driver
Simplified guide to understand new features implemented in Office 365 and Azure AD 5.0 Driver
The Azure AD Driver is a new addition to the NetIQ family of drivers. The driver is an enhanced version for the Office 365 driver, so the name "Office 365 and Azure Active Directory driver" with the initial version 5.0.0.0.
Introduction:
The Azure AD driver allows you to provision or deprovision users, groups, exchange mailboxes, mail users, roles, and licenses to Azure AD Cloud. The driver can also be configured to integrate with IDM Service for Exchange Online for synchronizing Office 365 attributes. The Azure driver uses a new Windows component called the Exchange Service, which will be explained further in the article.
The high-level driver architecture is as given below:
Let's understand how the Azure AD driver graph implementation is different from the Office 365 driver implementation.
The Windows Azure AD Graph provides programmatic access to Windows Azure Active Directory (AD) through REST API endpoints. Using the Windows Azure AD Graph developers can execute create, read, update, and delete (CRUD) operations on Windows Azure AD objects such as users and groups. In the on-premise world, you would usually programmatically access Windows Server Active Directory by using ADSI or ADO.NET libraries. In the cloud, you programmatically access Windows Azure AD using Windows Azure AD Graph.
This new driver is now used to connect to REST endpoints exposed by the Windows Azure platform. The driver is able to add, modify, delete, and query users and groups on Windows Azure platform.
The Azure Active Directory Graph API provides programmatic access to Azure AD through REST API endpoints. Applications can use the Graph API to perform create, read, update, and delete (CRUD) operations on directory data and objects. REST Driver for Azure Active Directory leverages these REST Endpoints to create, update and delete Users and Groups.
The following operations are supported:
Create a new user in a directory
Get a user’s detailed properties, such as their groups
Update a user’s properties, such as their location and phone number, or change their password
Check a user’s group membership for role-based access
Disable a user’s account or delete it entirely
Create a new group in a directory
Many of these operations are already supported via Identity Manager O365 Driver. However REST Driver for Azure would provide following advantages:
Strengthen IDM driver offerings for cloud.
Eliminate the need of using a Windows server to setup the driver.
Leverage the efficient programmatic access provided by Microsoft instead of the existing approach of using PowerShell.
Provide a change log based publisher channel instead of a cache based one
Oauth 2.0 Support
This driver implements the following features:
Support entitlements based provisioning/de-provisioning for Office 365 & Azure AD in a single driver
Bi-directional attribute/permission sync
No dependency on a “helper” box for Azure AD environments
Better Scalability for managing Office 365
Improved Office 365 license handling capability
Account tracking & Data collection for both Office 365 & Azure AD
Upgrade/Migration from Office 365 driver to new driver
Approach to support Coexistence for AD Driver and AAD Connect
Azure Schema
Directory schema extensions enable application developers to extend the directory and develop richer applications without worrying about the limitations imposed by an external store.
Online Schema fetch Azure REST Driver would use the exposed query interface by the REST driver to make an HTTP GET query to Azure.
The Azure Schema can be downloaded from the link below:
The Azure Driver is supported from IDM 4.5.5 onwards.
The driver will run on the local meta-directory server as well as on the remote loader (.Net Remote loader dependency is removed as it was mandatory in Office 365 driver)
External Interface:
The Rest Driver Utility will be used to make out of band HTTP calls via the rest driver to Azure AD.
Subscriber To perform operations on users with the Graph API, you send HTTP requests with a supported method (GET, POST, PATCH, PUT, or DELETE) to an endpoint that targets the users resource collection, a specific user, a navigation property of a user, or a function or action that can be called on a user.
Publisher The Azure AD driver uses the generic REST driver publisher implementation to search for changes on Azure AD. The generic REST driver is configured to run publisher on poll mode. The REST resources that need synchronization are configured in the publisher channel by passing their relevant REST URIs.
The Azure driver maintains the state of Azure AD in the dirxml-DriverStorage attribute.
The Azure AD driver will support 2 modes of operation, you need to decide which mode of operation the driver should run in before deploying the driver to IDV. One driver can run in only one mode on a given server.
Listed below are the 2 driver modes of operations: (Only one package can be selected)
1. Azure AD Cloud Only Entitlements
or
2. Azure AD Hybrid Entitlements
2. Azure AD Hybrid Entitlements Operation Mode in Azure AD
Hybrid mode is a mode in the Azure AD driver, where the Active Directory driver (connected to Active directory server), Microsoft Active Directory Connect and the Azure AD driver are involved / responsible for any user / group events to be synced with the Cloud Application.
Note: In Hybrid mode, Users and groups modification will not be allowed through publisher channel, only subscriber channel operations for graph user and group are allowed i.e. via Active Directory driver only. However in subscriber channel roles and licenses are handled by the Azure AD driver.
Note: For the Azure AD driver to perform in Limited Entitlements Operation Mode, "Azure AD Hybrid Entitlements" package should be selected as shown in the below screen shot
Below are the Prerequisites before installing the Azure AD connect on your server:
Azure AD Connect will help you to integrate the on-premises directories with Azure Active Directory. This allows you to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD.
The DC or member server you will be using as the Azure AD Connect machine in your environment must meet the following minimum specs.
Number of objects in Active Directory
CPU
Memory
Hard drive size
Fewer than 10,000
1.6 GHz
4 GB
70 GB
10,000–50,000
1.6 GHz
4 GB
70 GB
50,000–100,000
1.6 GHz
16 GB
100 GB
For 100,000 or more objects the full version of SQL Server is required
Once Azure AD connect is installed on your server, proceed with further steps to bring up Azure AD driver.
Secure Driver Communication
After selecting the required Azure AD packages, SSL needs to configured for the Azure AD driver which is a mandatory step.
A keystore has to be created and made as trust store (When the remote server is configured to provide server authentication, the path and the name of the keystore file which contains trusted certificates should be provided in the subscriber settings of the driver parameters)
To set up SSL between the driver and Identity Manager Service for Exchange Online, you need to create and import a server certificate into the root certificate store of the Windows server where the service is deployed.
The detailed steps are documented in the official NetIQ Azure AD driver documentation.
The truststore path should be provided while configuring the driver.
Exchange Server Service should be installed on any supported Windows platform if you use Exchange online connection for the driver to perform exchange related operations.
Exchange Service is a Windows component implemented specifically for the communication between Azure AD driver and the Exchange online, which is an alternative way for Windows PowerShell.
There are advantages of using the Exchange service over the Windows PowerShell like Performance and space requirements. The port can be configured for any free available port on the server.
If you have installed the Exchange service using the official NetIQ Azure AD driver documentation, the URL should looks like:
To check if the Exchange Server Service is running on the installed Windows server copy and paste the URL in any supported browser which should look like the below screenshot, if the Exchange server is running.
After you are done with the Exchange service URL in the driver parameter you can enter the Client ID and Client secret obtained from the Azure portal from your domain, which is clearly documented in one of the articles below:
Provide the Client ID and Client Secret in the driver parameters under Azure AD information section as shown below.
This should help you to understand this new driver to an extent, reading more about the driver in the official NetIQ documentation site will give you even more better understanding about this driver.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.
Image: https://www.netiq.com/documentation/identity-manager-46-drivers/msazure_ad/data/b1ly3x4y.html
Image: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect
Image: https://www.netiq.com/documentation/identity-manager-46-drivers/msazure_ad/data/b1ly3x4y.html
Image: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect
