Super Contributor.
Super Contributor.
253 views

AzureAD Driver: Add User to Group Issue

Hi,

My setup as follows

A1Plus-License Group is created in IDV and associated to AzureAD Group.

I had added assigned User to the A1Plus-License Group in IDV during an user add using the following 

<do-add-src-attr-value class-name="Group" disabled="true" name="Member">

<arg-dn>

<token-text xml:space="preserve">\1UITM-TREE\uitm\o365\A1Plus-License-Group</token-text>

</arg-dn>

<arg-value type="string">

<token-src-dn/>

</arg-value>

</do-add-src-attr-value>

The newly created user is added to the A1Plus-License-Group in IDV with no issue. However this does not replicate the member to the A1Plus-License-Group in AzureAD.

Manually assign member to the A1Plus-License-Group had no issue sync the member to the AzureAD, so must be due to the IDM policy.

Anyone had any suggestions?

Cheers,

Keng

 

Labels (1)
0 Likes
4 Replies
Highlighted
Super Contributor.
Super Contributor.

Re: AzureAD Driver: Add User to Group Issue

Hi,

Anyone is possible to help or provide any inputs?

I noticed there is no modify group event that's why I didn't see the results expected.

Does anyone have any idea assigning Member to Azure Group directly without using the IDV Group to sync over ?

Cheers,

Keng

0 Likes
Highlighted
Micro Focus Contributor
Micro Focus Contributor

Re: AzureAD Driver: Add User to Group Issue

Since it is a ‘modify src attribute’ action being used in subscriber, the action will be performed on the IDV object and hence, it becomes a publisher operation. Publisher events do not get added to the subscriber channel after completion. That is why there is no modify event generated for the subscriber.

 

[02/21/20 10:26:38.869]:Office365 ST:      Action: do-add-src-attr-value("Member",class-name="Group",arg-dn("\1UITM-TREE\uitm\o365\A1Plus-License-Group"),token-src-dn()).

[02/21/20 10:26:38.869]:Office365 ST:        arg-dn("\1UITM-TREE\uitm\o365\A1Plus-License-Group")

[02/21/20 10:26:38.870]:Office365 ST:          token-text("\1UITM-TREE\uitm\o365\A1Plus-License-Group")

[02/21/20 10:26:38.870]:Office365 ST:          Arg Value: "\1UITM-TREE\uitm\o365\A1Plus-License-Group".

[02/21/20 10:26:38.871]:Office365 ST:        arg-string(token-src-dn())

[02/21/20 10:26:38.871]:Office365 ST:          token-src-dn()

[02/21/20 10:26:38.872]:Office365 ST:            Token Value: "\1UITM-TREE\uitm\o365\test0365".

[02/21/20 10:26:38.872]:Office365 ST:          Arg Value: "\1UITM-TREE\uitm\o365\test0365".

 

There is a setting in the driver ECV Allow event loopback from publisher to subscriber channel (dirxml.engine.allow-event-loopback). Setting it to true may resolve the issue, but it may cause an increase in unnecessary event traffic.

Highlighted
Super Contributor.
Super Contributor.

Re: AzureAD Driver: Add User to Group Issue

Hi,

Looks like adding Group Membership to user is not the feasible way.

So if using Add Destination Attribute Value to Member it will generate the modify event which is expected.

<modify class-name="Group" event-id="ime1#20200302025914#2#2:d19565e8-6e80-486e-879f-e86595d1806e">

<association>191bec6b-91f7-4f8b-8bfc-dfcc90a5521f</association>

<modify-attr attr-name="members">

<add-value>

<value type="dn">\1UITM-TREE\uitm\o365\test0365</value>

</add-value>

</modify-attr>

</modify>

However since is was added using Creation Policy whereby the user is not created yet, so it does not have Association value expected.

The below is the success adding Member to the group

<modify cached-time="20200302031454.071Z" class-name="Group" event-id="ime1#20200302031454#2#1:c9d1d2d2-27c3-4f47-aafc-d2d2d1c9c327" qualified-src-dn="O=uitm\OU=o365\CN=A1Plus-License-Group" src-dn="\1UITM-TREE\uitm\o365\A1Plus-License-Group" src-entry-id="338008" timestamp="1583118894#1">

<association state="associated">191bec6b-91f7-4f8b-8bfc-dfcc90a5521f</association>

<modify-attr attr-name="members">

<add-value>

<value association-ref="ea25140f-34ae-4ed0-8239-eca455e33c02" timestamp="1583118894#1" type="dn">\1UITM-TREE\uitm\o365\test0365</value>

</add-value>

</modify-attr>

</modify>

So i need to add this association-ref to my modify events but I had no clue how to get this into the event, any help ?

Regards,

Keng

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: AzureAD Driver: Add User to Group Issue

The association-ref is the Path component of the association, which is what the driver shim uses to uniquely identify the user in the target system.

You have come upon the classic chicken/egg problem.

If you read throughthe Netiq AD driver config you will see the approach they take to solve this.

Sub Create - if there is a group entitlement during a create of a user, it sets an op-property that is detected in the ITP and if there is a successful create with the op-property set to true, it then gets the association value from the <add-association> event and looks up the user's Group entitlements and sends them back to AD, since the user is now successfully created.

Same is done for Exchange mailboxes.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.