ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins.Read more for important details.
Captain
Captain
1133 views

Azure Ad Driver - How to get if a Mailbox is created

Hi,

is there a method to check if a mailbox user has been created in the tenant?

Which attribute should I query?

Mailboxsettings seems to not working in the driver... and there is no way to set local var of a tenat query output.

 

Thanks

0 Likes
17 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Is this a hybrid solution (with Microsoft AADConnect) or are you solely using the NetIQ driver?

In the former scenario, there are some attributes written back to AD by AADConnect which you can then sync to (predefined by NetIQ) attributes in IDM and then trigger actions based on them changing. This I have done.

I think it was the Lwgacy Exchange DN I looked at to determine where a mailbox was provisioned to. (Online or on premises).

Not (yet) done this with the non hybrid config of the NetIQ driver. However I assume you could do something similar.

Also, MS does a lot of “thin” provisioning in their exchange environment. So some things on a mailbox are not provisioned until the user logs into mailbox for first time. That can catch you out if you aren’t thinking about this.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Captain
Captain

Hi,

no I haven't a Hybrid solution...

I use exchange service installed into a windows machine.

With the o365 driver I did a query via powershell that queried "Get-Mailbox -identity "xxxxx" " and save the result into a local variable.

With azure ad driver this is not possible because you have to set a dest attribute.

I hope that with graph I can query if a mailbox is created because I have to lauch some powershell command when the mailbox is created.

I see the DirXML-AADobjectType but I don't know if I query this attribute and I have a result (like UserMailbox), means the mailbox has been create.

Have you any idea?

 

Thanks a lot

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

For receiving up-to-date information about EXO, I use EXO2 PowerShell.
All users, that have EXO mailbox have ExchangeGUID attribute set.

@{n="ExchangeGUID";e={(Get-EXORecipient -ExternalDirectoryObjectId $_.ObjectId -ErrorAction SilentlyContinue -Properties ExchangeGUID).ExchangeGUID}}

These scripts executed by Sneakycat CLE driver (Thank you, Aleksander for your great driver!)

0 Likes
Captain
Captain

ok but how to do this query in the driver and save into a local variable?

I can do only a set dest attr if I want to use powershell command but I don't want to set nothing.. I only want to do a query and sav the result in a local var.

Is there a method?

thx

 

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

If you have an association for a specific user (and usually you have it), you can query/set a destination attribute. The engine will take care of required "internal" parameters.

If you want to construct your own PowerShell command, in most of the cases AAD and EXO PowerShell commands use ObjectGUID or email (UPN) info
0 Likes
Captain
Captain

Hi,

thanks for the response!

I have one question.

I'm testing azure driver and it seems that if I want to create a user mailbox and after it has been created I want to put some commands in the old O365 driver I had to wait the mailbox was created otherwise the powershell commands failed.

In the new azure driver it seems that if I send a mailbox creation and at same time I put some powershell commands that need the mailbox creation, these command work and I don't need to write some rules in the designer to check if the mailbox is created then....put the commands.

It seems that azure driver has a queue or something like this that queue the commands and put then only when the mailbox is created.

Is it right my assertion?

thanks very much

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

In theory, AzureAD driver handles expected feedback from PowerShell command. (the result of the operation).

If you need AzureAD driver and O365 driver to work together for a period of time, you can capture successful user/mailbox creation by AAD driver and put some flag (custom attribute) to your user object. O365 driver can use this attribute in its own logic, to be sure that a mailbox created.
0 Likes
Vice Admiral
Vice Admiral

@al_b  would it be nice to share you powershell scripts which works with CLE driver (plus somple driver config file shows how to invoke these script)  for community sharing? any github repo?

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

I will attach version of the script managed by CLE driver and policy.

 

Powershell executed "manually"

PS D:\ps> .\al-get-exo-app-kp.ps1 -CLE Y -PSRootFolder d:\ps -tenant $prodApp.tenantGUID -AppId $prodApp.appGUID -organization $prodApp.tenantName -thumb $prodApp.Thumb
PSRootFolder: d:\ps
AAD tenant: ece7...07a
AAD organization: ....onmicrosoft.com
AppId: 6fe...136
Certificate thumbprint: 375...6DF
Transcript started, output file is d:\ps\aad\log\PowerShell_transcript.WDSCCWQAAPP01.GaIle4KO.20210317204408.txt
CLE: Y
***************************************************************************************
* Get EXO info from Office 365/Azure/EXO (AAD app based) *
* *
* Written by Alex (for IDM CLE driver) *
* v 0.15 2020-12-21 18:14 *
***************************************************************************************
PSScriptRoot: D:\ps
Connect-AzureAD...
AAD tenant: ece...07a
AppId: 6fe...136
Certificate thumbprint: 375...6DF
Today's file: d:\ps\aad\wrk\exo-XXX.onmicrosoft.com-202103172044.csv

Get new O365 file actual for 03/17/2021 20:44:29, store in d:\ps\aad\wrk\exo-XXX.onmicrosoft.com-202103172044.csv
Process started: 03/17/2021 20:44:29
Process finished: 03/17/2021 20:47:18

54370 records in d:\ps\aad\wrk\exo-XXX.onmicrosoft.com-202103172044.csv
Process of 54370 records took 00:02:49.4537206 minutes
-----------------------------------------------------------------------------------------
Status for CLE> Process of 54370 records took 00:02:49.4537206 minutes (d:\ps\aad\wrk\exo-XXX.onmicrosoft.com-202103172044.csv)
d:\ps\aad\wrk\exo-XXX.onmicrosoft.com-202103172044.csv moved to d:\ps\aad\CSV\
Removed the PSSession ExchangeOnlineInternalSession_15 connected to outlook.office365.com
Disconnected successfully !
Transcript stopped, output file is D:\ps\aad\log\PowerShell_transcript.WDSCCWQAAPP01.GaIle4KO.20210317204408.txt
PS D:\ps>

Knowledge Partner Knowledge Partner
Knowledge Partner

Policy 70 Run EXO (al-get-exo-app.ps1) executed from Subscriber Event Transformation of CLE driver.

Different scripts executed by different jobs or triggered by different events.

This specific - executed by scheduled jobs

<rule>
<description>10 Break if not trigger</description>
<conditions>
<and>
<if-operation mode="case" op="not-equal">trigger</if-operation>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-global-variable mode="nocase" name="gcvDebug" op="equal">true</if-global-variable>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">-- Break if not triger --</token-text>
</arg-string>
</do-trace-message>
</arg-actions>
<arg-actions/>
</do-if>
<do-break/>
</actions>
</rule>

<rule>
<description>20 if not EXO job</description>
<comment xml:space="preserve">No DN's</comment>
<conditions>
<and>
<if-operation mode="case" op="equal">trigger</if-operation>
<if-op-property mode="nocase" name="source" op="equal">~gcvEXOjob~</if-op-property>
</and>
<and>
<if-operation mode="case" op="equal">trigger</if-operation>
<if-op-property mode="nocase" name="source" op="equal">~gcvFCEXOjob~</if-op-property>
</and>
</conditions>
<actions>
<do-set-local-variable name="lvContinue" scope="policy">
<arg-string>
<token-text xml:space="preserve">true</token-text>
</arg-string>
</do-set-local-variable>
</actions>
</rule>

<rule>
<description>30 Set Tenant specific Vars</description>
<comment xml:space="preserve">No DN's</comment>
<conditions>
<and>
<if-local-variable mode="nocase" name="lvContinue" op="equal">true</if-local-variable>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-op-property mode="nocase" name="source" op="equal">~gcvEXOjob~</if-op-property>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="lvAppGUID" scope="policy">
<arg-string>
<token-global-variable name="gcvAppId"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lvTenantGUID" scope="policy">
<arg-string>
<token-global-variable name="gcvTenantGUID"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lvTenantName" scope="policy">
<arg-string>
<token-global-variable name="gcvTenantName"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lvExecCMD" scope="policy">
<arg-string>
<token-global-variable name="gcvEXOps1"/>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions/>
</do-if>
<do-if>
<arg-conditions>
<and>
<if-op-property mode="nocase" name="source" op="equal">~gcvFCEXOjob~</if-op-property>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="lvAppGUID" scope="policy">
<arg-string>
<token-global-variable name="gcvFCAppId"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lvTenantGUID" scope="policy">
<arg-string>
<token-global-variable name="gcvFCTenantGUID"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lvTenantName" scope="policy">
<arg-string>
<token-global-variable name="gcvFCTenantName"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lvExecCMD" scope="policy">
<arg-string>
<token-global-variable name="gcvFCEXOps1"/>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>

<rule>
<description>50 Run EXO IDM script</description>
<conditions>
<or>
<if-local-variable mode="nocase" name="lvContinue" op="equal">true</if-local-variable>
</or>
</conditions>
<actions>
<do-set-local-variable name="lvPS" scope="policy">
<arg-string>
<token-global-variable name="gcvPSexec"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable disabled="true" name="lvPS" scope="policy">
<arg-string>
<token-text xml:space="preserve">C:\Windows\System32\WindowsPowerShell\v1.0\powershell</token-text>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lvCommand" scope="policy">
<arg-string>
<token-global-variable name="gcvQuote"/>
<token-local-variable name="lvExecCMD"/>
<token-text xml:space="preserve"> -cle IDM -PSRootFolder </token-text>
<token-global-variable name="gcvPSRootFolder"/>
<token-text xml:space="preserve"> -tenant </token-text>
<token-local-variable name="lvTenantGUID"/>
<token-text xml:space="preserve"> -AppId </token-text>
<token-local-variable name="lvAppGUID"/>
<token-text xml:space="preserve"> -thumb </token-text>
<token-global-variable name="gcvThumb"/>
<token-text xml:space="preserve"> -organization </token-text>
<token-local-variable name="lvTenantName"/>
<token-global-variable name="gcvQuote"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lvFullCMDline" scope="policy">
<arg-string>
<token-local-variable name="lvPS"/>
<token-text xml:space="preserve"> </token-text>
<token-text xml:space="preserve">-command </token-text>
<token-local-variable name="lvCommand"/>
</arg-string>
</do-set-local-variable>
<do-set-dest-attr-value direct="true" name="CommandToExecute">
<arg-value type="string">
<token-local-variable name="lvFullCMDline"/>
</arg-value>
</do-set-dest-attr-value>
<do-veto/>
</actions>
</rule>

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Note: my colleague @Sebastijan found that LegacyExchangeDN is filtered out by the shim.

So my earlier suggestion won't work.

To me that seems like a bug and it should be raised with Micro Focus to be resolved. The value is available from PowerShell.

As for the graph, Microsoft is yet to make any proper adminapi available via graph for public use.

Such an API exists, but is referred to Microsoft as for internal use only, yet under the covers, the new EXO cmdlets use this adminapi.

https://www.michev.info/Blog/Post/2869/abusing-the-rest-api-endpoints-behind-the-new-exo-cmdlets

So again, push both Micro Focus and Microsoft to do the right thing and make this easier to detect.

As for DirXML-AADObjectType it is queriable, but there is a risk that microsoft's internal sync/provisioning/replication is delayed and you might not be able to run set-mailbox commands successfully at this point.

We have had to resort to "re-queuing" such set-mailbox commands until they succeed. We use this ecmascript to do that.
An updated version of Peter Lambrechtsen's dxqueue library - Micro Focus Community - 2693342

Most of the time it only takes a few "re-queues" before the value sticks. The beauty of re-queue is that unlike retry, the driver does not get stuck on your event and continues processing other events. The re-queue event is sent to the end of the driver queue.

In other environments where identities are synced via AADConnect, I have had better success with LegacyExchangeDN, but even that might not be enough. With on-prem scripting of Exchange I have had to resort to setting sticky domain controller affinity via the DomainController parameter (which does not exist in the cloud variant).

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.