Azure Driver Publisher Channel Events Clarification
So, it is unclear from the documentation, but I'm trying to figure out what the publisher channel is able to detect within Azure. Is it able to pick up Azure AD objects or simply Exchange Online objects?
When I adjust the publisher polling interval in the driver, I see that it adjusts the frequency of its calls to the Exchange Web Service, which seems to check the change log for any new events and sends them onward to the driver. I would think this is just using the Exchange Online PowerShell Module rather than the Azure AD one, but I could be wrong. In practice so far this polling only seems to detect accounts that are mail enabled. Rather than unlicensed Azure AD objects.
I'm running the driver in Hybrid Mode and Azure AD Connect is responsible for user provisioning to Azure AD. I was hoping a publisher channel event could notify me of the successful creation so that I would know it is okay to go ahead and send an event to license the user.
Is this possible? If not, how are others handling this situation?
Your understanding of AzureAD driver architecture is right!
This is exactly, what is driver doing.
It uses Graph API for access to Azure AD information (users, groups) and Exchange Powershell modules for access to Exchange Online info.
Just side info: Microsoft still working on Graph API access to Exchange info and it not available yet for the public.
Currently, you can use the only PowerShell for Exchange modules for manage Exchange Online.
MS just released the "initial beta" of Rest-based PowerShell modules (EXO2), but functionality doesn't complete yet and release date unknown.
Thanks, @al_b. What I don't get is why the polling only seems to check the Exchange Service for changes rather than Azure AD itself through the Graph API. Changes in Azure AD would be very helpful to be able to detect (i.e. initial creation of an account by Azure AD Connect, out of band license assignments, etc...).
I've been looking at the new EXO2 PowerShell module. Ready for that to come out of preview and allow for modern authentication via Service Principal & Rest-based calls. It would be great if this allowed the driver to not require the Exchange PowerShell Service.
It supposed to get Publisher Channel user updates thru Graph API.
I didn't see, that new EXO2 modules preview supports modern authentication via Service Principal. I hope, that it will be included soon.
So this works in Cloud Only mode, but not Hybrid?
I just found this blurb in the documentation:
NOTE:You cannot add users, delete users, and modify user attributes through the publisher channel when you operate the Azure AD driver in hybrid mode. However, the Azure AD driver will update the associations accordingly.
The driver performs the following actions when operating in hybrid mode:
When a user is provisioned to AD through AD driver's user account entitlements and the user is synchronized to Azure AD through Azure AD Connect, the driver updates the user association in the Identity Vault.
When a user is deleted from Azure AD, the driver removes the association for the user from the Identity Vault.
I'm guessing that's why I'm not seeing normal events in the publisher, but I'm not sure where the association comes from or what triggers it.
Do you have familiarity with that process? Do I need to open something like DirXML-Associations in the publisher of the filter?