Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Keng Super Contributor.
Super Contributor.
258 views

Azure Driver: Newbie Questions

Hi All,

This is my first time doing IDM with Office 365 accounts whether old O365 or Azure Driver. So I need as much help if possible.

This is an educational instituition setup. Student is already using the O365 emails and Office online. Current process is using batch script to create O365 accounts whereby gonna replaced by Micro Focus IDM.

Existing O365 accounts is about 150K. The initial import will be via LDIF for these accounts.

My questions are as below

(i) Assuming my initial Azure Driver with approriate O365 Licensing setup, what would happen when I first run the Azure Driver ? My worry is that the Azure Driver will DELETE or DISABLE the O365 accounts when no match.

(ii) Assuming Azure Driver is running, what would happend when I start to import the Student LDIF ?

(iii) From Azure Driver schema mapping, I see it mapped CN to userPrincipalName. My understanding is userPrincipalName  will contain dot which eDirectory doesn't like. Won't that cause some issues ? From the data, the email address would be matching the userPrincipalName, so I have to change the mapping in Schema Mapping ?

(iv) There would be one way creation / modification /deletion to O365, the Publisher Channel will be disabled. Is there any concerns about this ?

(v) As I trying to understand from threads about Azure Driver, in my scenario I do not require to setup Identity Manager Service for Exchange Online which requires a Windows Server and Powershells. Am I correct ?

(vi) Also possible with Azure Driver, when the student graduates, we could move them to another O365 Domain ? If the O365 Domain is as such

Parent : unitest.com (Parent)

Student: students.unitest.com (Student O365 Domain)

Graduated: alumni.unitest.com (Those that left)

The intention is IDM would be able to move to alumni.unitest.com O365 Domain when the student graduates. Their agreement with Microsoft is that Microsoft promise will not remove these accounts.

Regards,

Keng

 

 

Labels (1)
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: Azure Driver: Newbie Questions

Hi Keng,

First of all,  you can trust our answer, but you have to validate everything in your QA environment.

(i) Assuming my initial Azure Driver with approriate O365 Licensing setup, what would happen when I first run the Azure Driver ? My worry is that the Azure Driver will DELETE or DISABLE the O365 accounts when no match.

No, if you don't want it (and will not include special logic for this task).

It will match (and take control) for matched accounts.

(ii) Assuming Azure Driver is running, what would happend when I start to import the Student LDIF ?

Create objects in Identity Vault from LDIF?

Like any other driver, Azure driver (by default) will detect a new object creation and will try to create correspondent object in AzureAD/O365. Definitely you can control everything through your drivers' policies.

(iii) From Azure Driver schema mapping, I see it mapped CN to userPrincipalName. My understanding is userPrincipalName  will contain dot which eDirectory doesn't like. Won't that cause some issues ? From the data, the email address would be matching the userPrincipalName, so I have to change the mapping in Schema Mapping ?

I never see any eDirectory issues related to dot in any attributes. Could you provide more info about this case?

You can adjust your Schema Mapping (and all other parts of your driver) according to your requirements without any issues.

0 Likes
Keng Super Contributor.
Super Contributor.

Re: Azure Driver: Newbie Questions

(iii) From Azure Driver schema mapping, I see it mapped CN to userPrincipalName. My understanding is userPrincipalName  will contain dot which eDirectory doesn't like. Won't that cause some issues ? From the data, the email address would be matching the userPrincipalName, so I have to change the mapping in Schema Mapping ?

 

The reason why I asked is we cannot create a user object such as 11234@abc.com.my as CN. I have tried to digest the Azure Driver Policies, and can see that there is Input and Output Transform Policy to strip or add back @O365Domain from O365 and try to match with CN. So the CN in this case is reformat with the front part before the @Domain.

If so, then I wouldn't need to change the mapping as the user CN is their Student ID and their email is StudentID@O365 Domain, and the corresponding O365 account is the same as StudentID@O365 Domain

Regards,

Keng

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure Driver: Newbie Questions

I a little bit lost here.

Your expected CN: 11234 (cn=StudentID).

Output Transform Policy will add "domain portion" and make UPN looks like StudentID@O365 (11234@abc.com.my).

Where you have an issue?

 

0 Likes
Keng Super Contributor.
Super Contributor.

Re: Azure Driver: Newbie Questions

Hi.

YES. In a way when a new student is added to IDV, the student CN=1122334455, and the Azure Driver is meant to create an O365 email account with 1122334455@O365_Domain. That's the main objective.

NOTE that it's still in planning stage for O365 integration with IDM.

Currently students had all their account in O365 Domain with the naming like 1122334455@O365_Domain. We will be receiving the LDIF file for import (maybe in a batch of 30K at a time), CN is mapped to the Student ID in LDIF file.

When we implement the Azure Driver, and when it start up, it will query the Azure Domain to match the user in IDV and O365 right. So with default IDM Azure Policy, it should be easily match the UPN in O365. I would imagine for 170K users, how long the querying and matching will take...

Regards,

Keng

0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure Driver: Newbie Questions

(iv) There would be one way creation / modification /deletion to O365, the Publisher Channel will be disabled. Is there any concerns about this ?

Not at all. 

You can adjust the driver according to your requirements.

(v) As I trying to understand from threads about Azure Driver, in my scenario I do not require to setup Identity Manager Service for Exchange Online which requires a Windows Server and Powershells. Am I correct ?

If you don't need to manage Exchange Online through IDM driver - you will not need ExO Powershell component.

(vi) Also possible with Azure Driver, when the student graduates, we could move them to another O365 Domain ? If the O365 Domain is as such

Parent : unitest.com (Parent)
Student: students.unitest.com (Student O365 Domain)
Graduated: alumni.unitest.com (Those that left)

I never tried it on my own. It can be interesting case.

Are you able to do it without a driver? (thru PowerShell or Graph API)

0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure Driver: Newbie Questions

I don't think, that it will be an easy case.

You will need MS Customer Support involvement.

Submit a support request to break the inheritance at Azure Customer Support.

<a href="https://support.microsoft.com/en-au/help/3070341/how-to-manage-subdomains-and-parent-domains-in-different-organizations" target="_blank">https://support.microsoft.com/en-au/help/3070341/how-to-manage-subdomains-and-parent-domains-in-different-organizations</a>

 

Currently I didn't see any real details about this case

0 Likes
Keng Super Contributor.
Super Contributor.

Re: Azure Driver: Newbie Questions

Hi all,

Actually I am quite confused with the Azure Driver on this part.

If I need to use the Azure Driver to provision a O365 Email Account, do I need

(i) Only the the Azure REST Driver which talks to the Graph API

(ii) Or I need both Azure REST and Exchange Online Services (hosted with Remote Loader and Windows 2016)

Regards,

Keng

0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure Driver: Newbie Questions

You  right: documentation is confusing

 

Azure AD Driver
The Azure AD driver allows you to seamlessly provision and deprovision users, group memberships, exchange mailboxes, roles, and licenses to Azure AD (cloud). The driver synchronizes the user identity information between the Identity Vault and Azure AD and keeps this information consistent at all times.

Identity Manager Service for Exchange Online
The Azure AD driver uses the Identity Manager Exchange Service to provision or deprovision user mailboxes, mail users, create or remove distribution lists and security groups on Office 365 Exchange Online. For more information on configuring the service, see Section 7.0, Understanding Identity Manager Exchange Service.

PowerShell
The Azure AD driver uses PowerShell for executing Exchange operations such as creation of Exchange mailbox, mail users, and groups.

 

For my knowledge, driver use GRAPH API for access to Azure AD and PowerShell for manage Exchange Online.

If you need to manage mailboxes in Exchange Online - you will need Identity Manager Service for Exchange Online

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.