Highlighted
Super Contributor.
Super Contributor.
264 views

Azure Driver Publisher Channel Events Clarification

So, it is unclear from the documentation, but I'm trying to figure out what the publisher channel is able to detect within Azure. Is it able to pick up Azure AD objects or simply Exchange Online objects?

When I adjust the publisher polling interval in the driver, I see that it adjusts the frequency of its calls to the Exchange Web Service, which seems to check the change log for any new events and sends them onward to the driver. I would think this is just using the Exchange Online PowerShell Module rather than the Azure AD one, but I could be wrong. In practice so far this polling only seems to detect accounts that are mail enabled. Rather than unlicensed Azure AD objects.

I'm running the driver in Hybrid Mode and Azure AD Connect is responsible for user provisioning to Azure AD. I was hoping a publisher channel event could notify me of the successful creation so that I would know it is okay to go ahead and send an event to license the user.

Is this possible? If not, how are others handling this situation?

Labels (1)
4 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Your understanding of AzureAD driver architecture is right!

This is exactly, what is driver doing.

It uses Graph API for access to Azure AD information (users, groups) and Exchange Powershell modules for access to Exchange Online info.

 

Just side info: Microsoft still working on Graph API access to Exchange info and it not available yet for the public.

Currently, you can use the only PowerShell for Exchange modules for manage Exchange Online.

MS just released the "initial beta" of Rest-based PowerShell modules (EXO2), but functionality doesn't complete yet and release date unknown.

Highlighted
Super Contributor.
Super Contributor.

Thanks, @al_b. What I don't get is why the polling only seems to check the Exchange Service for changes rather than Azure AD itself through the Graph API. Changes in Azure AD would be very helpful to be able to detect (i.e. initial creation of an account by Azure AD Connect, out of band license assignments, etc...).

I've been looking at the new EXO2 PowerShell module. Ready for that to come out of preview and allow for modern authentication via Service Principal & Rest-based calls. It would be great if this allowed the driver to not require the Exchange PowerShell Service.

Highlighted
Knowledge Partner
Knowledge Partner

Now it coming back to driver mode, that you use (Hybrid mode).
It supposed to get Publisher Channel user updates thru Graph API.

I didn't see, that new EXO2 modules preview supports modern authentication via Service Principal. I hope, that it will be included soon.
Highlighted
Super Contributor.
Super Contributor.

So this works in Cloud Only mode, but not Hybrid?

I just found this blurb in the documentation:

NOTE:You cannot add users, delete users, and modify user attributes through the publisher channel when you operate the Azure AD driver in hybrid mode. However, the Azure AD driver will update the associations accordingly.

And another:

The driver performs the following actions when operating in hybrid mode:

  • When a user is provisioned to AD through AD driver's user account entitlements and the user is synchronized to Azure AD through Azure AD Connect, the driver updates the user association in the Identity Vault.

  • When a user is deleted from Azure AD, the driver removes the association for the user from the Identity Vault.

I'm guessing that's why I'm not seeing normal events in the publisher, but I'm not sure where the association comes from or what triggers it. 

Do you have familiarity with that process? Do I need to open something like DirXML-Associations in the publisher of the filter?

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.