Chris Boyle Regular Contributor.
Regular Contributor.
235 views

Azure AD Driver O365 Licensing Not Working assignLicenses

Hi all, 

Im having an issue with a 4.6 Azure AD Licensing Driver. The driver is configured using an RL server and is working fine for synchronising attributes. 

I have NOT added the Entitlement Package, to deal with licenses as we dont have a UserApp. 

Essentially I am setting the assignLicense value manually in policy.

I have tried different types of value, but get success messages in each case but the liceses dont apply, when I set them using GraphAPI directly it all works. 

What value should be added to the AssignLiceses? Should it be the SKUID, The SKU Name, or GUID. I dont have an environment to check.

(NOTE: Subsequently it looks like the SkuID GUID is needed, but it doesnt seem like the sriver is issuing the POST command. It is doing a couple of GET commands, but doesnt try to assign the licenses)

Some trace here so you can see what I am doing (Only included RL trace, as you can see that the assignLicense Value is being set:

RL Trace Attached

 

 

I have also tried the following values:

<modify-attr attr-name="assignLicense">
<add-value>
<value type="string">"94763226-9b3c-4e75-a931-5c89701abe66"</value>
</add-value>



<modify-attr attr-name="assignLicense">
<add-value>
<value type="string">STANDARDWOFFPACK_FACULTY</value>
</add-value>

<modify-attr attr-name="assignLicense">
<add-value>
adXXXtst:STANDARDWOFFPACK_FACULTY
</add-value>

 

Labels (1)
0 Likes
11 Replies
Chris Boyle Regular Contributor.
Regular Contributor.

Re: Azure AD Driver O365 Licensing Not Working assignLicenses

I have also now patched to the latest version for 4.6, which is driver version 5.0.2.0

Attached is the trace. I noticed that you only need to set usageLocation once, hence the error in the last trace. This is the most up to date trace

Also we haven't installed the Exchange Service. Is the exchange service required to license the users?

0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure AD Driver O365 Licensing Not Working assignLicenses

Exchange service is required for PowerShell commands and the license management is done via REST.  So no, you would not need the Exchange Service for this task per se.

 

As for the value, I have t odig through some trace samples (don't have access to the system anymore) but I remember thinking the value for a license was 'odd' and not exactly what Iw ould have expected. 

 

0 Likes
Chris Boyle Regular Contributor.
Regular Contributor.

Re: Azure AD Driver O365 Licensing Not Working assignLicenses

Hi Geoff,

Thanks for the prompt response

It looks like it calls all of the other commands via REST, and I can paste
them into the Azure graph explorer and they all work.
https://graphexplorer.azurewebsites.net/#

It doesnt seem to do the POST one though, and whether thats just do to a
malformed value Im not sure. It would be great if you could have a look at
your previous traces.

In the default driver it uses a ecmaScript command getEntParamField, to
retrieve the ID from the DirXML-entitlementRef attribute value, which I
assume must be the GUID.

Hope that helps!
0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure AD Driver O365 Licensing Not Working assignLicenses

Yes, the ECMA gets the payload value of the EntitlementRef but is it the GUID or something which is not what I expected, which is my memory. I will get to looking at trace in a bit. Got something I am working on.

0 Likes
Chris Boyle Regular Contributor.
Regular Contributor.

Re: Azure AD Driver O365 Licensing Not Working assignLicenses

Hi Geoff, you didn't manage to find any traces did you, I have tried just about every value I can think of!
0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure AD Driver O365 Licensing Not Working assignLicenses

So looking at an old trace, I see it in this format;

<modify-attr attr-name="assignLicense">
<add-value>
<value type="string">STANDARDWOFFPACK_FACULTY#0feaeb32-d00e-4d66-bd5a-43b5b12ac82c</value>
</add-value>

Which is what I meant by an odd format, the string then a # then the GUID.

Then another example in the entitlementIMpl that shows the <param> node value:

{"ID":"STANDARDWOFFPACK_FACULTY#bea4c11e-220a-4e6d-8eb8-8ea15d019f90"}

 

Hope that helps.

0 Likes
Chris Boyle Regular Contributor.
Regular Contributor.

Re: Azure AD Driver O365 Licensing Not Working assignLicenses

Amazing, this looks like its now in the right format......however it looked like it tried to remove the assignment!! 

.......trace.......

<source>
<product edition="Standard" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>

<association state="associated">8a407133-af2f-493f-9253-534f88ff5300</association>
<modify-attr attr-name="usageLocation">
<remove-all-values/>
<add-value>
<value type="string">IE</value>
</add-value>
</modify-attr>
<modify-attr attr-name="assignLicense">
<add-value>
<value type="string">STANDARDWOFFPACK_FACULTY#94763226-9b3c-4e75-a931-5c89701bcE66</value>
</add-value>
</modify-attr>
</modify>
</input>

 

 

which gives.......

 

<source>
<product version="5.0.2.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="users" command="assignLicense">

<url-token/>
<header Content-Type="application/json"/>
{"addLicenses":[],"removeLicenses":["94763226-9b3c-4e75-a931-5c89701abe66"]}
</request>
</driver-operation-data>
</input>

 

which in turn, gives......

 

<source>
<product build="20170208_1048" version="1.0.0.1">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="error" type="driver-general">
<driver-operation-data class-name="users" command="assignLicense" dest-dn="">

<url-token/>
<header Content-Type="application/json"/>
{"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"User does not have a corresponding license."},"requestId":"ad9be7ba-fcdb-4cb3-a9ab-e72e3603aca5","date":"2019-06-26T13:24:41"}}
</response>
</driver-operation-data>
</status>
</output>

 

Which you would expect, that the error is correct, but that means when adding the value, its parsing it and REVOKING rather than adding. 

I wonder if it needs #1# or something ???

do you have any more trace at all?

Cheers

Chris

 

0 Likes
Chris Boyle Regular Contributor.
Regular Contributor.

Re: Azure AD Driver O365 Licensing Not Working assignLicenses

Hi Geoff, 

After more investigation, the Value is set to 

<skuPartNumber>#<servicePlanId>

e.g.

--To Add KAIZALA_O365_P2 to the A1 Faculty plan.......would be 
STANDARDWOFFPACK_FACULTY#54fc630f-5a40-48ee-8965-af0503c1386e

This means that we have to do multiple separate calls to add a license. 

Is there not a way to assign a plan, like the STANDARDWOFFPACK_FACULTY in its entirety? rather than have to issue lots of commands to add each license? i.e. issue a command for the full collection of licenses?

Similar question for the removal?

Cheers

Chris

0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure AD Driver O365 Licensing Not Working assignLicenses

I THINK that the shim is doing some shenanigans...

i THINK that when you add a license, the shim MIGHT be looking back to see the entire set of licenses assigned, and generating a add parent license, which includes all of them, and then removes the missing licenses.

 

I.e. A license at the high level includes all of them.  To ONLY grant one of the 12 sub licenses, you grant the parent and remove 11.  It is an intesnely stupid model as far as I can tell.

I need to dig deeper in my trace to find you an example, sorry for the slow responses.

0 Likes
Chris Boyle Regular Contributor.
Regular Contributor.

Re: Azure AD Driver O365 Licensing Not Working assignLicenses

Hi Geoff

Yeah I agree about the model, however it does mean that when new licenses come onboard, then you dont have to update your code to reflect the new item, however just makes it so difficult for us! 

The problem I am now having is that I am unable to find out the combination to send to the API that will add a full plan, and not just a single license within the plan. 

On the old office365 driver you could just assign the STANDARDWOFFPACK_FACULTY plan. But on this driver it seems you can only assign the 12 subplan licenses. 

Have you been able to assign the full plan in one command?

Cheers Chris

0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure AD Driver O365 Licensing Not Working assignLicenses

I hear your use case, and I am not sure. The old approach in the O365 driver, was sort of add the main SKU then remove permissions.  The new approach in Azure driver is to do it permission by permission.  (Which I THINK the driver fakes out as add the main SKU and then remove the ones you need removed).

It is not that hard to just add all the values to a user to work around that. Since you are not using the Resource model, you could have a query in your driver that gets the resource values, store them as strings on some DirXML-Resource object in the driver context, then when you add your flag attribute for the main SKU package, read out that object and add all the values as assignLicense attributes...

Give yourself a trigger to make it query and update the available values. Maybe one object per license type?  I have half that code already done, since i wrote a package to go make Resources with entitlements for all the available Permissions, since it is a pain to do by hand.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.