vm_luotonen Respected Contributor.
Respected Contributor.
312 views

Azure Driver exception: Add-DistributionGroupMember

Jump to solution

Hi

I have Azure AD driver syncronizing Users and Group memberships to Cloud.

I have problem assinging group membership to Mail enabled security group.
When I add Entitlement to user through role event leaves driver as it should, but returns an exception

[07/16/19 14:26:38.392]:Azure AD Driver ST:Remote Interface Driver: Sending...
[07/16/19 14:26:38.393]:Azure AD Driver ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.7.1.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<association>a54f2e28-370c-4510-9c74-9c84ef746a03</association>
<modify-attr attr-name="members">
<add-value>
<value association-ref="dd040518-729f-427f-be70-90f6a81fe964" type="dn">\VAULT-TREE\vault\data\Users\user1</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[07/16/19 14:26:38.399]:Azure AD Driver ST:Remote Interface Driver: Document sent.
[07/16/19 14:26:38.399]:Azure AD Driver ST:Remote Interface Driver: Waiting for receive...

[07/16/19 14:26:42.818]:Azure AD Driver ST:Remote Interface Driver: Received
[07/16/19 14:26:42.820]:Azure AD Driver ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20180222_0642" instance="Azure AD Driver" version="5.1.0.0">Identity Manager Driver for Azure AD and Office 365</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
com.novell.nds.dirxml.driver.azure.exceptions.ChannelException: Add-DistributionGroupMember
</output>
</nds>
[07/16/19 14:26:42.827]:Azure AD Driver ST:Remote Interface Driver: Received command: SUBSCRIBER REPLY(10).
[07/16/19 14:26:42.828]:Azure AD Driver ST:Restoring operation data to output document

 

Azure Driver version is 5.1.0.0
IDM version is  4.7.1

User IDM in Azure AD have Global Administrator and Exchange Administrator roles

Driver is capable handling User provisioning and all attributes, Licences, maintaining Normal Security Groups, but not Mail enabled Security groups which Customer need for assigning Calendar rights.

What could be the reason and where to look at ?

-- Vellu

Labels (1)
1 Solution

Accepted Solutions
Highlighted
vm_luotonen Respected Contributor.
Respected Contributor.

Re: Azure Driver exception: Add-DistributionGroupMember

Jump to solution

Solution:
Powershell command 
Add-DistributionGroupMember -Identity TestMailEnabledSecurityGroup -Member user@company.fi
Operation can only be performed by a manager of the group.

So if group was created manually from Office Admin management. Owner was userid who created the group. So UserID which Driver is using lacked the rights for member management because of this.

I  tried to add azuread-driver@company.fi from Office management page, but for some reason it didn't allow me to do that..
instead I ran Powershell command ( as my O365 admin account) 
Set-DistributionGroup -Identity TestMailEnabledSecurityGroup -ManagedBy azuread-driver@company.fi  -BypassSecurityGroupManagerCheck

-BypassSecurityGroupManagerCheck was needed, since my Admin account wasn't the existing owner of the group.

After that Add-DistributionGroupMember / Remove-DistributionGroupMember worked from powershell.
And management from IDM side roles began to work.

Kind Regards 

Veli-Matti

0 Likes
4 Replies
vm_luotonen Respected Contributor.
Respected Contributor.

Re: Azure Driver exception: Add-DistributionGroupMember

Jump to solution

Below are Exchange service and Remoteloader logs:

Looks that process gets DirXML: [07/16/19 14:26:43.09]: TRACE: Azure AD Driver_Exchange: Response code and message: 400 Add-DistributionGroupMember

from POST to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Member

Could this be rights problem or should I update Azure AD driver to 5.1.1.0?


in Exchange Service Log:


[07/16/2019 14:26:42.693] company.onmicrosoft.com – Invocation: Completed

[07/16/2019 14:26:42.693] company.onmicrosoft.com – Invoking: Add-DistributionGroupMember
Identity: MailEnabledSecurityGroup-Test20190716110619
Member: dd040518-729f-427f-be70-90f6a81fe964

And in Remoteloader Log:
DirXML: [07/16/19 14:26:38.68]: TRACE: Remote Loader: Received
DirXML: [07/16/19 14:26:38.68]: TRACE:
<source>
<product edition="Advanced" version="4.7.1.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>

<association>a54f2e28-370c-4510-9c74-9c84ef746a03</association>
<modify-attr attr-name="members">
<add-value>
<value association-ref="dd040518-729f-427f-be70-90f6a81fe964" type="dn">\VAULT-TREE\vault\data\Users\user1</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [07/16/19 14:26:38.68]: TRACE: Remote Loader: Received command: SUBSCRIBER EXECUTE(4).
DirXML: [07/16/19 14:26:38.68]: TRACE: Remote Loader: Calling SubscriptionShim.execute()
DirXML: [07/16/19 14:26:38.68]: TRACE:
<source>
<product edition="Advanced" version="4.7.1.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>

<association>a54f2e28-370c-4510-9c74-9c84ef746a03</association>
<modify-attr attr-name="members">
<add-value>
<value association-ref="dd040518-729f-427f-be70-90f6a81fe964" type="dn">\VAULT-TREE\vault\data\Users\user1</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [07/16/19 14:26:38.68]: TRACE: Azure AD Driver: AZSubscriber.execute()
DirXML: [07/16/19 14:26:38.68]: TRACE: Azure AD Driver: Sending command document to subscriber
DirXML: [07/16/19 14:26:38.68]: TRACE:
<source>
<product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="groups" command="query">
<request method="GET">
<url-token api-version="?api-version=1.6" association="a54f2e28-370c-4510-9c74-9c84ef746a03"/>
<header Content-Type="application/json"/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
DirXML: [07/16/19 14:26:38.68]: TRACE: Azure AD Driver_Azure: sub-execute
DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberRequest()
DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: queryHandler
DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: queryHandler: class-name == 'groups'
DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: Query: preparing GET to https://graph.windows.net/company.onmicrosoft.com/groups/a54f2e28-370c-4510-9c74-9c84ef746a03?api-version=1.6
DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: Resetting headers
DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: Setting the following HTTP request properties:
Authorization:
DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: Content-Type:application/json
DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: OAuth2: Token is valid.
DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: OAuth2: Token is valid.
DirXML: [07/16/19 14:26:38.69]: TRACE: Azure AD Driver_Azure: Did a HTTP GET with 0 bytes of data to https://graph.windows.net/company.onmicrosoft.com/groups/a54f2e28-370c-4510-9c74-9c84ef746a03?api-version=1.6
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Azure: Response code and message: 200 OK
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver: Received response document from subscriber
DirXML: [07/16/19 14:26:38.96]: TRACE:
<source>
<product build="20180615_1256" version="1.0.1.1">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general">
<driver-operation-data class-name="groups" command="query" dest-dn="">
<response method="GET">
<url-token api-version="?api-version=1.6" association="a54f2e28-370c-4510-9c74-9c84ef746a03"/>
<header Content-Type="application/json"/>
{"odata.metadata":"https://graph.windows.net/company.onmicrosoft.com/$metadata#directoryObjects/@Element","odata.type":"Microsoft.DirectoryServices.Group","objectType":"Group","objectId":"a54f2e28-370c-4510-9c74-9c84ef746a03","deletionTimestamp":null,"description":null,"dirSyncEnabled":null,"displayName":"MailEnabledSecurityGroup-Test","lastDirSyncTime":null,"mail":"MailEnabledSecurityGroup-Test@company.onmicrosoft....}
</response>
</driver-operation-data>
</status>
</output>
</nds>
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver: Sending command document to subscriber
DirXML: [07/16/19 14:26:38.96]: TRACE:
<source>
<product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="Groups" command="query">
<request method="GET">
<url-token association="a54f2e28-370c-4510-9c74-9c84ef746a03"/>
<header Content-Type="application/json"/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: sub-execute
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberRequest()
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: queryHandler
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: queryHandler: class-name == 'Groups'
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: Query: preparing GET to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: Resetting headers
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: Setting the following HTTP request properties:
Authorization:
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: Content-Type:application/json
DirXML: [07/16/19 14:26:38.96]: TRACE: Azure AD Driver_Exchange: Did a HTTP GET with 0 bytes of data to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03
DirXML: [07/16/19 14:26:40.18]: TRACE: Azure AD Driver_Exchange: Response code and message: 200 OK
DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberResponse()
DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver: Received response document from subscriber
DirXML: [07/16/19 14:26:40.19]: TRACE:
<source>
<product build="20180615_1256" version="1.0.1.1">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general">
<driver-operation-data class-name="Groups" command="query" dest-dn="">
<response method="GET">
<url-token association="a54f2e28-370c-4510-9c74-9c84ef746a03"/>
<header Content-Type="application/json"/>
{"Name":"MailEnabledSecurityGroup-Test20190716110619","objectId":"a54f2e28-370c-4510-9c74-9c84ef746a03","Alias":"MailEnabledSecurityGroup-Test","Description":"testataan kalenterioikeuden antamista","DisplayName":"MailEnabledSecurityGroup-Test","DynamicProperties":[{"Key":"SamAccountName","Value":"MailEnabledSecurityGroup-Test2019071611061957650-265146755"},{"Key":"BypassNestedModerationEnabled","Value":false},{"Key":"IsDirSynced","Value":false},{"Key":"ManagedBy","Value":["admin"]},{"Key":"MemberJoinRestriction","Value":"Closed"},{"Key":"MemberDepartRestriction","Value":"Closed"},{"Key":"MigrationToUnifiedGroupInProgress","Value":false},{"Key":"ReportToManagerEnabled","Value":false},{"Key":"ReportToOriginatorEnabled","Value":true},{"Key":"SendOofMessageToOriginatorEnabled","Value":false},{"Key":"AddressListMembership","Value":["\\All Groups(VLV)","\\All Recipients(VLV)","\\Groups(VLV)","\\Offline Global Address List","\\All Distribution Lists","\\Default Global Address List"]},{"Key":"ArbitrationMailbox","Value":"SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}"},{"Key":"OrganizationalUnit","Value":"eurpr05a007.prod.outlook.com/Microsoft Exchange Hosted Organizations/company.onmicrosoft.com"},{"Key":"ExternalDirectoryObjectId","Value":"a54f2e28-370c-4510-9c74-9c84ef746a03"},{"Key":"HiddenFromAddress
DirXML: [07/16/19 14:26:40.19]: ListsEnabled","Value":false},{"Key":"LegacyExchangeDN","Value":"/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=118af26918d445ff9881c17ec5724122-KalenteriOi"},{"Key":"MaxSendSize","Value":"Unlimited"},{"Key":"MaxReceiveSize","Value":"Unlimited"},{"Key":"ModerationEnabled","Value":false},{"Key":"PoliciesExcluded","Value":["{26491cfc-9e50-4857-861b-0cb8df22b5d7}"]},{"Key":"EmailAddressPolicyEnabled","Value":false},{"Key":"RecipientType","Value":"MailUniversalSecurityGroup"},{"Key":"RecipientTypeDetails","Value":"MailUniversalSecurityGroup"},{"Key":"RequireSenderAuthenticationEnabled","Value":true},{"Key":"SendModerationNotifications","Value":"Always"},{"Key":"WindowsEmailAddress","Value":"MailEnabledSecurityGroup-Test@company.onmicrosoft.com"},{"Key":"UserPrincipalName","Value":"MailEnabledSecurityGroup-Test20190716110619"},{"Key":"Id","Value":"MailEnabledSecurityGroup-Test20190716110619"},{"Key":"IsValid","Value":true},{"Key":"ExchangeVersion","Value":"0.10 (14.0.100.0)"},{"Key":"DistinguishedName","Value":"CN=MailEnabledSecurityGroup-Test20190716110619,OU=company.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR05A007,DC=PROD,DC=OUTLOOK,DC=COM"},{"Key":"ObjectCategory","Value":"EURPR05A007.PROD.OUTLOOK.COM/Configuration/Schema/Group"},{"Key":"ObjectClass","Value":["top","group"]},{"Key":"WhenChanged","Value":"16.7.2019 14:06:25"},{"Key":"WhenCreated","Value":"16.7.2019 14:06:20"},{"Key":"WhenChangedUTC","Value":"16.7.2019 11:06:25"},{"Key":"WhenCreatedUTC","Value":"16.7.2019 11:06:20"},{"Key":"ExchangeObjectId","Value":"xxx"},{"Key":"OrganizationId","Value":"EURPR05A007.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/company.onmicrosoft.com - EURPR05A007.PROD.OUTLOOK.COM/ConfigurationUn
DirXML: [07/16/19 14:26:40.19]: its/company.onmicrosoft.com/Configuration"},{"Key":"Guid","Value":"xxx"},{"Key":"OriginatingServer","Value":"HE1PR05A007DC06.EURPR05A007.PROD.OUTLOOK.COM"},{"Key":"ObjectState","Value":"Changed"}],"EmailAddresses":["SMTP:MailEnabledSecurityGroup-Test@company.onmicrosoft.com"],"PrimarySmtpAddress":null,"Type":"Universal, SecurityEnabled"}
</response>
</driver-operation-data>
</status>
</output>
</nds>
DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver: Sending command document to subscriber
DirXML: [07/16/19 14:26:40.19]: TRACE:
<source>
<product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="Groups" command="query-members">

<url-token/>
<header Content-Type="application/json"/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: sub-execute
DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberRequest()
DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: customHandler
DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: customHandler: class-name == 'Groups'
DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Custom: preparing GET to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Member
DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Resetting headers
DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Setting the following HTTP request properties:
Authorization:
DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Content-Type:application/json
DirXML: [07/16/19 14:26:40.19]: TRACE: Azure AD Driver_Exchange: Did a HTTP GET with 0 bytes of data to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Member
DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Response code and message: 200 OK
DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberResponse()
DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver: Received response document from subscriber
DirXML: [07/16/19 14:26:40.88]: TRACE:
<source>
<product build="20180615_1256" version="1.0.1.1">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general">
<driver-operation-data class-name="Groups" command="query-members" dest-dn="">

<url-token/>
<header Content-Type="application/json"/>
{"GetGroupMembershipResult":[]}
</response>
</driver-operation-data>
</status>
</output>
</nds>
DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver: Sending command document to subscriber
DirXML: [07/16/19 14:26:40.88]: TRACE:
<source>
<product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="Groups" command="query-owners">

<url-token/>
<header Content-Type="application/json"/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: sub-execute
DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberRequest()
DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: customHandler
DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: customHandler: class-name == 'Groups'
DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Custom: preparing GET to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Owner
DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Resetting headers
DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Setting the following HTTP request properties:
Authorization:
DirXML: [07/16/19 14:26:40.88]: TRACE: Azure AD Driver_Exchange: Content-Type:application/json
DirXML: [07/16/19 14:26:40.89]: TRACE: Azure AD Driver_Exchange: Did a HTTP GET with 0 bytes of data to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Owner
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Exchange: Response code and message: 200 OK
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberResponse()
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver: Received response document from subscriber
DirXML: [07/16/19 14:26:42.14]: TRACE:
<source>
<product build="20180615_1256" version="1.0.1.1">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general">
<driver-operation-data class-name="Groups" command="query-owners" dest-dn="">

<url-token/>
<header Content-Type="application/json"/>
{"GetGroupOwnerResult":[{"Name":"admin","objectId":"63eafd22-bfb3-4bbf-9337-b0b3405c39c7"}]}
</response>
</driver-operation-data>
</status>
</output>
</nds>
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver: Sending command document to subscriber
DirXML: [07/16/19 14:26:42.14]: TRACE:
<source>
<product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="groups" command="query-members">

<url-token/>
<header Content-Type="application/json"/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: sub-execute
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberRequest()
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: customHandler
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: customHandler: class-name == 'groups'
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: Custom: preparing GET to https://graph.windows.net/company.onmicrosoft.com/directoryObjects/a54f2e28-370c-4510-9c74-9c84ef746a03/members?api-version=1.6
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: Resetting headers
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: Setting the following HTTP request properties:
Authorization:
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: Content-Type:application/json
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: OAuth2: Token is valid.
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: OAuth2: Token is valid.
DirXML: [07/16/19 14:26:42.14]: TRACE: Azure AD Driver_Azure: Did a HTTP GET with 0 bytes of data to https://graph.windows.net/company.onmicrosoft.com/directoryObjects/a54f2e28-370c-4510-9c74-9c84ef746a03/members?api-version=1.6
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Azure: Response code and message: 200 OK
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver: Received response document from subscriber
DirXML: [07/16/19 14:26:42.22]: TRACE:
<source>
<product build="20180615_1256" version="1.0.1.1">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general">
<driver-operation-data class-name="groups" command="query-members" dest-dn="">

<url-token/>
<header Content-Type="application/json"/>
{"odata.metadata":"https://graph.windows.net/company.onmicrosoft.com/$metadata#directoryObjects","value":[]}
</response>
</driver-operation-data>
</status>
</output>
</nds>
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver: Sending command document to subscriber
DirXML: [07/16/19 14:26:42.22]: TRACE:
<source>
<product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="Groups" command="modify-members">

<url-token/>
<header Content-Type="application/json"/>
{"Identity":{"targetobjectId":"dd040518-729f-427f-be70-90f6a81fe964"}}
</request>
</driver-operation-data>
</input>
</nds>
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: sub-execute
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberRequest()
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: customHandler
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: customHandler: class-name == 'Groups'
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: Custom: preparing POST to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Member
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: Resetting headers
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: Setting the following HTTP request properties:
Authorization:
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: Content-Type:application/json
DirXML: [07/16/19 14:26:42.22]: TRACE: Azure AD Driver_Exchange: Did a HTTP POST with 70 bytes of data to https://192.168.xx.xx:3333/ExchServer/company.onmicrosoft.com/Groups/a54f2e28-370c-4510-9c74-9c84ef746a03/Member
DirXML: [07/16/19 14:26:43.09]: TRACE: Azure AD Driver_Exchange: Response code and message: 400 Add-DistributionGroupMember
DirXML: [07/16/19 14:26:43.09]: TRACE: Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberResponse()
DirXML: [07/16/19 14:26:43.09]: TRACE: Azure AD Driver: Received response document from subscriber
DirXML: [07/16/19 14:26:43.09]: TRACE:
<source>
<product build="20180615_1256" version="1.0.1.1">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="error" type="driver-general">
<driver-operation-data class-name="Groups" command="modify-members" dest-dn="">

<url-token/>
<header Content-Type="application/json"/>
<value message="Add-DistributionGroupMember" status="400"/>
</response>
</driver-operation-data>
</status>
</output>
</nds>
DirXML: [07/16/19 14:26:43.09]: TRACE: Remote Loader: SubscriptionShim.execute() returned:
DirXML: [07/16/19 14:26:43.10]: TRACE:
<source>
<product build="20180222_0642" instance="Azure AD Driver" version="5.1.0.0">Identity Manager Driver for Azure AD and Office 365</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
com.novell.nds.dirxml.driver.azure.exceptions.ChannelException: Add-DistributionGroupMember
</output>
</nds>
DirXML: [07/16/19 14:26:43.10]: TRACE: Remote Loader: Sending...
DirXML: [07/16/19 14:26:43.10]: TRACE:
<source>
<product build="20180222_0642" instance="Azure AD Driver" version="5.1.0.0">Identity Manager Driver for Azure AD and Office 365</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
com.novell.nds.dirxml.driver.azure.exceptions.ChannelException: Add-DistributionGroupMember
</output>
</nds>
DirXML: [07/16/19 14:26:43.10]: TRACE: Remote Loader: Document sent.
DirXML: [07/16/19 14:26:43.10]:
DirXML Log Event -------------------
Driver = \VAULT-TREE\vault\services\DriverSet\Azure AD Driver
Thread = Subscriber
Level = error
Message = com.novell.nds.dirxml.driver.azure.exceptions.ChannelException: Add-DistributionGroupMember

vm_luotonen Respected Contributor.
Respected Contributor.

Re: Azure Driver exception: Add-DistributionGroupMember

Jump to solution

Document
https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http

Says that Add Member needs following rights

Delegated (work or school account)
Account with Driver connects
Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account)Not supported.
Application
Configured Azure App + API
Group.ReadWrite.All and Directory.ReadWrite.All


Group.ReadWrite rights were missing from both.. but adding thos and restartin driver didn't solve the problem at least immediatelly. I'll tell in the morning if this helped..

--vellu

 

vm_luotonen Respected Contributor.
Respected Contributor.

Re: Azure Driver exception: Add-DistributionGroupMember

Jump to solution

I opened a SR -since I couldn't solve the problem.

0 Likes
Highlighted
vm_luotonen Respected Contributor.
Respected Contributor.

Re: Azure Driver exception: Add-DistributionGroupMember

Jump to solution

Solution:
Powershell command 
Add-DistributionGroupMember -Identity TestMailEnabledSecurityGroup -Member user@company.fi
Operation can only be performed by a manager of the group.

So if group was created manually from Office Admin management. Owner was userid who created the group. So UserID which Driver is using lacked the rights for member management because of this.

I  tried to add azuread-driver@company.fi from Office management page, but for some reason it didn't allow me to do that..
instead I ran Powershell command ( as my O365 admin account) 
Set-DistributionGroup -Identity TestMailEnabledSecurityGroup -ManagedBy azuread-driver@company.fi  -BypassSecurityGroupManagerCheck

-BypassSecurityGroupManagerCheck was needed, since my Admin account wasn't the existing owner of the group.

After that Add-DistributionGroupMember / Remove-DistributionGroupMember worked from powershell.
And management from IDM side roles began to work.

Kind Regards 

Veli-Matti

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.