maqsood1 Absent Member.
Absent Member.
2366 views

AzureAD Driver -Support for Group Sync without Entitlement

Hello

New AzureAD driver comes out of the box with Group Sync support using Group Entitlement which is used to map Group Entitlment with a Role in "Catalog Admin" in Userapp. We want to sync eDirectory Groups/member with AzureAD driver without using Catalog admin role map and entitlement, How to do that and is that supported out of the box?

Regards,
Maqsood.
Labels (1)
0 Likes
21 Replies
Knowledge Partner
Knowledge Partner

Re: AzureAD Driver -Support for Group Sync without Entitleme

Yes. But not in hybrid mode. Hybrid mode uses the normal ad driver for users and groups.

From documentation: https://www.netiq.com/documentation/identity-manager-46-drivers/msazure_ad/data/b8rffe7.html
0 Likes
maqsood1 Absent Member.
Absent Member.

Re: AzureAD Driver -Support for Group Sync without Entitleme

Thanks for the info; i would believe its possible to tweak a driver bit to handle non-hybrid but eDirectory group sync?.. I dont see any point syncing azure ad groups based on the userapp roles :-)..


joakim_ganse;2458545 wrote:
Yes. But not in hybrid mode. Hybrid mode uses the normal ad driver for users and groups.

From documentation: https://www.netiq.com/documentation/identity-manager-46-drivers/msazure_ad/data/b8rffe7.html
0 Likes
Knowledge Partner
Knowledge Partner

Re: AzureAD Driver -Support for Group Sync without Entitleme

User app roles implies entitlements so I guess that is the new stuff in the released driver. I would assume normal sync of users and groups should work just fine.
0 Likes
maqsood1 Absent Member.
Absent Member.

Re: AzureAD Driver -Support for Group Sync without Entitleme

Actually, i trried to sync without group entitlment, but it does not look like that it works. with group entitlement it only worked when i had to map userapp role to azure ad group!

we have lots of applications that uses "group" from ldap as the single entity to calculate user permissions, so its very strange netiq has moved out group from edirectory up to userapp as role to that group sync. in order to acheive the gorup sync. we need to

a) mirror edirectory group to a userapp role in userapp
b) create /provision edirectory group in azure ad ( provision works though from azuread driver)
c) map azure ad group using group entitlement from userapp catalog adminsitrator
d) assign user to role from userapp role api to automate edirectory group memberships adds and removes

what a hacK!
0 Likes
sdhaval1 Absent Member.
Absent Member.

Re: AzureAD Driver -Support for Group Sync without Entitleme

Hi Maqsood,

I truly don't understand why would you have to do such a hack for group sync when you do not want to use entitlements. Group sync in azure ad driver works like group sync in any other driver. I am attaching a sample trace document to show how it would work in azure driver. I hope it helps. I would advise you to recheck your driver configurations.

[05/31/17 15:53:52.229]:Azure AD Driver ST:Submitting document to subscriber shim:
[05/31/17 15:53:52.230]:Azure AD Driver ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.5.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<add cached-time="20170531215349.477Z" class-name="Group" event-id="nsa1#20170531215349#1#1:ddf4b944-3651-429c-db98-44b9f4dd5136" qualified-src-dn="O=data\OU=groups\CN=AzureGrupe" src-dn="\PROVO\data\groups\AzureGrupe" src-entry-id="124579" timestamp="1496267629#8">
<add-attr attr-name="displayName">
<value timestamp="1496267629#8" type="string">AzureGrupe</value>
</add-attr>
<add-attr attr-name="mailNickname">
<value type="string">AzureGrupe</value>
</add-attr>
<add-attr attr-name="mailEnabled">
<value type="string">false</value>
</add-attr>
<add-attr attr-name="securityEnabled">
<value type="string">true</value>
</add-attr>
<operation-data attempt-to-match="true" unmatched-src-dn="AzureGrupe"/>
</add>
</input>
</nds>
[05/31/17 15:53:52.234]:Azure AD Driver ST:Stripping operation data from input document
[05/31/17 15:53:52.238]:Azure AD Driver ST:Azure AD Driver: AZSubscriber.execute()
[05/31/17 15:53:52.536]:Azure AD Driver ST:Azure AD Driver: Sending command document to subscriber
[05/31/17 15:53:52.536]:Azure AD Driver ST:
<nds dtdversion="4.x" ndsversion="8.x">
<source>
<product version="5.0.1.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="groups" command="add">
<request method="POST">
<url-token api-version="?api-version=1.6"/>
<header Content-Type="application/json"/>
<value>{"odata.type":"Microsoft.DirectoryServices.Group","displayName":"AzureGrupe","mailNickname":"AzureGrupe","mailEnabled":false,"securityEnabled":true}</value>
</request>
</driver-operation-data>
</input>
</nds>
[05/31/17 15:53:52.539]:Azure AD Driver ST:Azure AD Driver_Azure: sub-execute
[05/31/17 15:53:52.539]:Azure AD Driver ST:Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberRequest()
[05/31/17 15:53:52.540]:Azure AD Driver ST:Azure AD Driver_Azure: addHandler
[05/31/17 15:53:52.540]:Azure AD Driver ST:Azure AD Driver_Azure: addHandler: class-name == 'groups'
[05/31/17 15:53:52.559]:Azure AD Driver ST:Azure AD Driver_Azure: Add: preparing POST to https://graph.windows.net/****.onmicrosoft.com/groups?api-version=1.6
[05/31/17 15:53:52.560]:Azure AD Driver ST:Azure AD Driver_Azure: Setting the following HTTP request properties:
Authorization: <content suppressed>
[05/31/17 15:53:52.561]:Azure AD Driver ST:Azure AD Driver_Azure: Content-Type:application/json
[05/31/17 15:53:52.561]:Azure AD Driver ST:Azure AD Driver_Azure: OAuth2: Token is valid.
[05/31/17 15:53:52.562]:Azure AD Driver ST:Azure AD Driver_Azure: OAuth2: Token is valid.
[05/31/17 15:53:52.562]:Azure AD Driver ST:Azure AD Driver_Azure: Did a HTTP POST with 148 bytes of data to https://graph.windows.net/****.onmicrosoft.com/groups?api-version=1.6
[05/31/17 15:53:52.698]:Azure AD Driver ST:Azure AD Driver_Azure: Response code and message: 201 Created
[05/31/17 15:53:52.699]:Azure AD Driver ST:Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
[05/31/17 15:53:52.700]:Azure AD Driver ST:Azure AD Driver: Received response document from subscriber
[05/31/17 15:53:52.701]:Azure AD Driver ST:
<nds dtdversion="3.0">
<source>
<product build="20160929_0556" version="1.0.0.0">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general">
<driver-operation-data class-name="groups" command="add" dest-dn="">
<response method="POST">
<url-token api-version="?api-version=1.6"/>
<header Content-Type="application/json"/>
<value message="Created" status="201">{"odata.metadata":"https://graph.windows.net/****.onmicrosoft.com/$metadata#directoryObjects/Microsoft.DirectoryServices.Group/@Element","odata.type":"Microsoft.DirectoryServices.Group","objectType":"Group","objectId":"2e6ff18a-a04a-418a-9f15-f4eac6d27aac","deletionTimestamp":null,"description":null,"dirSyncEnabled":null,"displayName":"AzureGrupe","lastDirSyncTime":null,"mail":null,"mailNickname":"AzureGrupe","mailEnabled":false,"onPremisesSecurityIdentifier":null,"provisioningErrors":[],"proxyAddresses":[],"securityEnabled":true}</value>
</response>
</driver-operation-data>
</status>
</output>
</nds>
[05/31/17 15:53:52.775]:Azure AD Driver ST:Restoring operation data to output document
[05/31/17 15:53:52.776]:Azure AD Driver ST:SubscriptionShim.execute() returned:
[05/31/17 15:53:52.776]:Azure AD Driver ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20170502_0106" instance="Azure AD Driver" version="5.0.1.0">Identity Manager Driver for Azure AD and Office 365</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<add-association dest-dn="\PROVO\data\groups\AzureGrupe" dest-entry-id="" event-id="nsa1#20170531215349#1#1:ddf4b944-3651-429c-db98-44b9f4dd5136">2e6ff18a-a04a-418a-9f15-f4eac6d27aac<operation-data attempt-to-match="true" unmatched-src-dn="AzureGrupe"/>
</add-association>
<status event-id="nsa1#20170531215349#1#1:ddf4b944-3651-429c-db98-44b9f4dd5136" level="success">
<operation-data attempt-to-match="true" unmatched-src-dn="AzureGrupe"/>
</status>
</output>
</nds>

-Thanks,
Dhaval
0 Likes
Knowledge Partner
Knowledge Partner

Re: AzureAD Driver -Support for Group Sync without Entitleme

Thank you, Dhaval!
You just confirmed my expectation.

I believe that situation with groups similar to situation with license management: default driver functionality built on top of entitlement (that really create issue for IDM SE users).
It can work without entitlement, but required remove some Entitlement stub policies.

For example, MFAZUREENTL-sub-ctp-EntitlementsImpl has policy GroupMembership entitlement: veto membership without entitlement
0 Likes
sdhaval1 Absent Member.
Absent Member.

Re: AzureAD Driver -Support for Group Sync without Entitleme

No, I don't think that would completely true. I agree on the license management (that entilements are needed) but not on the group membership part. The policy you mention would come into effect when group entitlements are ON. Otherwise, membership events are not vetoed.
0 Likes
maqsood1 Absent Member.
Absent Member.

Re: AzureAD Driver -Support for Group Sync without Entitleme

hello dhaval

i like your approach to reply to threads by sharing policy and logs.

btw to be clear i am talking about group and group membership sync without group entitlement. as i wrote that i was able to sync group but not group membership 😞

Maqsood
0 Likes
sdhaval1 Absent Member.
Absent Member.

Re: AzureAD Driver -Support for Group Sync without Entitleme

Here's similar logs for adding group memberships. Make sure you have the group entitlements turned off in the driver GCVs.

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.5.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20170601211145.867Z" class-name="Group" event-id="nsa1#20170601211145#1#1:d814ad4b-5c91-4f7f-b09c-4bad14d8915c" qualified-src-dn="O=data\OU=groups\CN=AzureGrupe" src-dn="\PROVO\data\groups\AzureGrupe" src-entry-id="124579" timestamp="1496351505#1">
<association state="associated">2e6ff18a-a04a-418a-9f15-f4eac6d27aac</association>
<modify-attr attr-name="members">
<add-value>
<value association-ref="0766b747-b691-42c7-bdcd-38437f2dedcf" timestamp="1496351505#1" type="dn">\PROVO\data\users\Alan</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[06/01/17 15:11:46.715]:Azure AD Driver ST:Azure AD Driver: AZSubscriber.execute()
[06/01/17 15:11:46.718]:Azure AD Driver ST:Azure AD Driver: Sending command document to subscriber
[06/01/17 15:11:46.718]:Azure AD Driver ST:
<nds dtdversion="4.x" ndsversion="8.x">
<source>
<product version="5.0.1.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="groups" command="query">
<request method="GET">
<url-token api-version="?api-version=1.6" association="2e6ff18a-a04a-418a-9f15-f4eac6d27aac"/>
<header Content-Type="application/json"/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
[06/01/17 15:11:46.725]:Azure AD Driver ST:Azure AD Driver_Azure: sub-execute
[06/01/17 15:11:46.725]:Azure AD Driver ST:Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberRequest()
[06/01/17 15:11:46.726]:Azure AD Driver ST:Azure AD Driver_Azure: queryHandler
[06/01/17 15:11:46.726]:Azure AD Driver ST:Azure AD Driver_Azure: queryHandler: class-name == 'groups'
[06/01/17 15:11:46.726]:Azure AD Driver ST:Azure AD Driver_Azure: Query: preparing GET to https://graph.windows.net/****.onmicrosoft.com/groups/2e6ff18a-a04a-418a-9f15-f4eac6d27aac?api-version=1.6
[06/01/17 15:11:46.735]:Azure AD Driver ST:Azure AD Driver_Azure: Setting the following HTTP request properties:
Authorization: <content suppressed>
[06/01/17 15:11:46.737]:Azure AD Driver ST:Azure AD Driver_Azure: Content-Type:application/json
[06/01/17 15:11:46.737]:Azure AD Driver ST:Azure AD Driver_Azure: OAuth2: Token is valid.
[06/01/17 15:11:46.738]:Azure AD Driver ST:Azure AD Driver_Azure: OAuth2: Token is valid.
[06/01/17 15:11:46.738]:Azure AD Driver ST:Azure AD Driver_Azure: Did a HTTP GET with 0 bytes of data to https://graph.windows.net/****.onmicrosoft.com/groups/2e6ff18a-a04a-418a-9f15-f4eac6d27aac?api-version=1.6
[06/01/17 15:11:46.806]:Azure AD Driver ST:Azure AD Driver_Azure: Response code and message: 200 OK
[06/01/17 15:11:46.807]:Azure AD Driver ST:Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
[06/01/17 15:11:46.808]:Azure AD Driver ST:Azure AD Driver: Received response document from subscriber
[06/01/17 15:11:46.808]:Azure AD Driver ST:
<nds dtdversion="3.0">
<source>
<product build="20160929_0556" version="1.0.0.0">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general">
<driver-operation-data class-name="groups" command="query" dest-dn="">
<response method="GET">
<url-token api-version="?api-version=1.6" association="2e6ff18a-a04a-418a-9f15-f4eac6d27aac"/>
<header Content-Type="application/json"/>
<value message="OK" status="200">{"odata.metadata":"https://graph.windows.net/****.onmicrosoft.com/$metadata#directoryObjects/Microsoft.DirectoryServices.Group/@Element","odata.type":"Microsoft.DirectoryServices.Group","objectType":"Group","objectId":"2e6ff18a-a04a-418a-9f15-f4eac6d27aac","deletionTimestamp":null,"description":null,"dirSyncEnabled":null,"displayName":"AzureGrupe","lastDirSyncTime":null,"mail":null,"mailNickname":"AzureGrupe","mailEnabled":false,"onPremisesSecurityIdentifier":null,"provisioningErrors":[],"proxyAddresses":[],"securityEnabled":true}</value>
</response>
</driver-operation-data>
</status>
</output>
</nds>
[06/01/17 15:11:46.816]:Azure AD Driver ST:Azure AD Driver: Sending command document to subscriber
[06/01/17 15:11:46.824]:Azure AD Driver ST:
<nds dtdversion="4.x" ndsversion="8.x">
<source>
<product version="5.0.1.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="Groups" command="query">
<request method="GET">
<url-token association="2e6ff18a-a04a-418a-9f15-f4eac6d27aac"/>
<header Content-Type="application/json"/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
[06/01/17 15:11:46.830]:Azure AD Driver ST:Azure AD Driver_Exchange: sub-execute
[06/01/17 15:11:46.830]:Azure AD Driver ST:Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberRequest()
[06/01/17 15:11:46.832]:Azure AD Driver ST:Azure AD Driver_Exchange: queryHandler
[06/01/17 15:11:46.837]:Azure AD Driver ST:Azure AD Driver_Exchange: queryHandler: class-name == 'Groups'
[06/01/17 15:11:46.840]:Azure AD Driver ST:Azure AD Driver_Exchange: Query: preparing GET to https://164.99.44.80:9009/ExchServer/****.onmicrosoft.com/Groups/2e6ff18a-a04a-418a-9f15-f4eac6d27aac
[06/01/17 15:11:46.841]:Azure AD Driver ST:Azure AD Driver_Exchange: Setting the following HTTP request properties:
Authorization: <content suppressed>
[06/01/17 15:11:46.842]:Azure AD Driver ST:Azure AD Driver_Exchange: Content-Type:application/json
[06/01/17 15:11:46.842]:Azure AD Driver ST:Azure AD Driver_Exchange: Did a HTTP GET with 0 bytes of data to https://164.99.44.80:9009/ExchServer/****.onmicrosoft.com/Groups/2e6ff18a-a04a-418a-9f15-f4eac6d27aac
[06/01/17 15:11:47.322]:Azure AD Driver ST:Azure AD Driver_Exchange: Response code and message: 404 Group not found.
[06/01/17 15:11:47.323]:Azure AD Driver ST:Azure AD Driver_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberResponse()
[06/01/17 15:11:47.324]:Azure AD Driver ST:Azure AD Driver: Received response document from subscriber
[06/01/17 15:11:47.325]:Azure AD Driver ST:
<nds dtdversion="3.0">
<source>
<product build="20160929_0556" version="1.0.0.0">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="error" type="driver-general">
<driver-operation-data class-name="Groups" command="query" dest-dn="">
<response method="GET">
<url-token association="2e6ff18a-a04a-418a-9f15-f4eac6d27aac"/>
<header Content-Type="application/json"/>
<value message="Group not found." status="404"/>
</response>
</driver-operation-data>
</status>
</output>
</nds>
[06/01/17 15:11:47.327]:Azure AD Driver ST:Azure AD Driver: Sending command document to subscriber
[06/01/17 15:11:47.328]:Azure AD Driver ST:
<nds dtdversion="4.x" ndsversion="8.x">
<source>
<product version="5.0.1.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="groups" command="query-members">
<request method="GET" url="https://graph.windows.net/****.onmicrosoft.com/directoryObjects/2e6ff18a-a04a-418a-9f15-f4eac6d27aac/members?api-version=1.6">
<url-token/>
<header Content-Type="application/json"/>
<value/>
</request>
</driver-operation-data>
</input>
</nds>
[06/01/17 15:11:47.330]:Azure AD Driver ST:Azure AD Driver_Azure: sub-execute
[06/01/17 15:11:47.331]:Azure AD Driver ST:Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberRequest()
[06/01/17 15:11:47.331]:Azure AD Driver ST:Azure AD Driver_Azure: customHandler
[06/01/17 15:11:47.332]:Azure AD Driver ST:Azure AD Driver_Azure: customHandler: class-name == 'groups'
[06/01/17 15:11:47.332]:Azure AD Driver ST:Azure AD Driver_Azure: Custom: preparing GET to https://graph.windows.net/****.onmicrosoft.com/directoryObjects/2e6ff18a-a04a-418a-9f15-f4eac6d27aac/members?api-version=1.6
[06/01/17 15:11:47.333]:Azure AD Driver ST:Azure AD Driver_Azure: Setting the following HTTP request properties:
Authorization: <content suppressed>
[06/01/17 15:11:47.334]:Azure AD Driver ST:Azure AD Driver_Azure: Content-Type:application/json
[06/01/17 15:11:47.334]:Azure AD Driver ST:Azure AD Driver_Azure: OAuth2: Token is valid.
[06/01/17 15:11:47.334]:Azure AD Driver ST:Azure AD Driver_Azure: OAuth2: Token is valid.
[06/01/17 15:11:47.335]:Azure AD Driver ST:Azure AD Driver_Azure: Did a HTTP GET with 0 bytes of data to https://graph.windows.net/****.onmicrosoft.com/directoryObjects/2e6ff18a-a04a-418a-9f15-f4eac6d27aac/members?api-version=1.6
[06/01/17 15:11:47.407]:Azure AD Driver ST:Azure AD Driver_Azure: Response code and message: 200 OK
[06/01/17 15:11:47.407]:Azure AD Driver ST:Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
[06/01/17 15:11:47.408]:Azure AD Driver ST:Azure AD Driver: Received response document from subscriber
[06/01/17 15:11:47.409]:Azure AD Driver ST:
<nds dtdversion="3.0">
<source>
<product build="20160929_0556" version="1.0.0.0">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general">
<driver-operation-data class-name="groups" command="query-members" dest-dn="">
<response method="GET" url="https://graph.windows.net/****.onmicrosoft.com/directoryObjects/2e6ff18a-a04a-418a-9f15-f4eac6d27aac/members?api-version=1.6">
<url-token/>
<header Content-Type="application/json"/>
<value message="OK" status="200">{"odata.metadata":"https://graph.windows.net/****.onmicrosoft.com/$metadata#directoryObjects","value":[]}</value>
</response>
</driver-operation-data>
</status>
</output>
</nds>
[06/01/17 15:11:47.412]:Azure AD Driver ST:Azure AD Driver: Sending command document to subscriber
[06/01/17 15:11:47.413]:Azure AD Driver ST:
<nds dtdversion="4.x" ndsversion="8.x">
<source>
<product version="5.0.1.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="groups" command="modify-members">
<request method="POST" url="https://graph.windows.net/****.onmicrosoft.com/groups/2e6ff18a-a04a-418a-9f15-f4eac6d27aac/$links/members?api-version=1.6">
<url-token/>
<header Content-Type="application/json"/>
<value>{"url":"https://graph.windows.net/****.onmicrosoft.com/directoryObjects/0766b747-b691-42c7-bdcd-38437f2dedcf"}</value>
</request>
</driver-operation-data>
</input>
</nds>
[06/01/17 15:11:47.416]:Azure AD Driver ST:Azure AD Driver_Azure: sub-execute
[06/01/17 15:11:47.416]:Azure AD Driver ST:Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberRequest()
[06/01/17 15:11:47.417]:Azure AD Driver ST:Azure AD Driver_Azure: customHandler
[06/01/17 15:11:47.417]:Azure AD Driver ST:Azure AD Driver_Azure: customHandler: class-name == 'groups'
[06/01/17 15:11:47.418]:Azure AD Driver ST:Azure AD Driver_Azure: Custom: preparing POST to https://graph.windows.net/****.onmicrosoft.com/groups/2e6ff18a-a04a-418a-9f15-f4eac6d27aac/$links/members?api-version=1.6
[06/01/17 15:11:47.419]:Azure AD Driver ST:Azure AD Driver_Azure: Setting the following HTTP request properties:
Authorization: <content suppressed>
[06/01/17 15:11:47.419]:Azure AD Driver ST:Azure AD Driver_Azure: Content-Type:application/json
[06/01/17 15:11:47.420]:Azure AD Driver ST:Azure AD Driver_Azure: OAuth2: Token is valid.
[06/01/17 15:11:47.420]:Azure AD Driver ST:Azure AD Driver_Azure: OAuth2: Token is valid.
[06/01/17 15:11:47.420]:Azure AD Driver ST:Azure AD Driver_Azure: Did a HTTP POST with 126 bytes of data to https://graph.windows.net/****.onmicrosoft.com/groups/2e6ff18a-a04a-418a-9f15-f4eac6d27aac/$links/members?api-version=1.6
[06/01/17 15:11:47.554]:Azure AD Driver ST:Azure AD Driver_Azure: Response code and message: 204 No Content
[06/01/17 15:11:47.554]:Azure AD Driver ST:Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
[06/01/17 15:11:47.555]:Azure AD Driver ST:Azure AD Driver: Received response document from subscriber
[06/01/17 15:11:47.556]:Azure AD Driver ST:
<nds dtdversion="3.0">
<source>
<product build="20160929_0556" version="1.0.0.0">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="success" type="driver-general">
<driver-operation-data class-name="groups" command="modify-members" dest-dn="">
<response method="POST" url="https://graph.windows.net/****.onmicrosoft.com/groups/2e6ff18a-a04a-418a-9f15-f4eac6d27aac/$links/members?api-version=1.6">
<url-token/>
<header Content-Type="application/json"/>
<value message="No Content" status="204"/>
</response>
</driver-operation-data>
</status>
</output>
</nds>
[06/01/17 15:11:47.559]:Azure AD Driver ST:SubscriptionShim.execute() returned:
[06/01/17 15:11:47.559]:Azure AD Driver ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20170502_0106" instance="Azure AD Driver" version="5.0.1.0">Identity Manager Driver for Azure AD and Office 365</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="nsa1#20170601211145#1#1:d814ad4b-5c91-4f7f-b09c-4bad14d8915c" level="success"/>
</output>
</nds>
0 Likes
maqsood1 Absent Member.
Absent Member.

Re: AzureAD Driver -Support for Group Sync without Entitleme

Hello

Thank you for the answer. Do you mean if I trun off the group entitlememnt on driver and it would then do eDrirectory to AzureaD group sync ? in non-hybrid driver mode?. One thing i can see in your logs, the driver is also trying to update the group in Exchange online explicity in addition to azuread, is this default behavior of the driver?


I am unable to use NetiQ IDMExchangeService, would you please help me on that?, I can go straight and create SR with NetIQ support on this, but I dont think support at NetIQ are so familir with new azure ad driver and will just take tooooooooooo long time before its NOT RESOLVED!


Maqsood.
0 Likes
sdhaval1 Absent Member.
Absent Member.

Re: AzureAD Driver -Support for Group Sync without Entitleme

Maqsood,

Netiq Support is completely adept in supporting the driver. Feel free to raise SR(s) when you are in need of help.

Yes, if you have installed the entitlements packages you need to turn off the group entitlement. It is "ON" by default. You should then be able to synchronize group membership assuming you have set-up the driver correctly. In my logs the driver tries to do exchange because I have an exchange service running. If you do not need exchange service you can turn it off in the driver parameters. IN this case the driver would not attempt to contact the exchange service.

-Thanks,
Dhaval
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.