According to documentation, AzureAD driver supports Distribution Group

https://www.netiq.com/documentation/identity-manager-48-drivers/msazure_ad/data/driver-features.html

The following Exchange groups can be added through the Subscriber channel:
Distribution Group
Security Group
Office 365 Group

Did you inject the object type "Distribution", when you tried to create this distribution group object?

Object type specified in DirXML-AADObjectType attribute

DirXML-AADObjectType: Contains the type for a user or a group object.
Name                              Description
UserMailbox               Creates a mailbox user in Exchange Online
MailUser                       Creates a mail user in Exchange Online
Distribution                Creates a distribution group in Exchange Online
Security                        Creates a security group in Exchange Online
UnifiedGroup             Creates a Office 365 group in Exchange Online

https://www.netiq.com/documentation/identity-manager-47-drivers/msazure_ad/data/understanding-identity-manager-exchange-service.html

I can't see DirXML-AADObjectType in your trace

Hi,

My mistake, I had just assumed the group creation was all handled by graph and so I was following the microsoft docs https://docs.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0 .

I guess maybe the shim uses different API:s depending on the object type? When trying to create a distribution list without it I get an error saying that email cannot be enabled, but when I add the object type to the operation I get the same behavior as Martin (the value doesn't seem to matter). But I've done quite a lot of modifications so there's probably something else missing.

For me it's fine though, my customer was ok with only creating security groups. But it's good to know that it should be possible, thank you!

Hi,

I also have issues with this. I'm able to create Distribution List groups by setting DirXML-AADObjectType, but i am not able to create O365 groups, by setting the value to "UnifiedGroup". 

I am getting a successful response in the driver trace and the exchange log produces this:

[12/16/2020 13:09:41.416]*domain* – https://192.168.100.100:9001/ExchServer/*domain*/Groups?type=UnifiedGroup
[12/16/2020 13:09:41.416] *domain*– Invoking: New-DistributionGroup
DisplayName: Computing - DL
Name: Computing - DL
Type: UnifiedGroup
Notes: Computing - DL

And then it ends.

Are there additional attributes or configurations necessary for unified groups? I see that it uses the "New-DistributionGroup" cmdlet, which is limited to Distribution and Security groups. Can i make the exchange service do it differently?

 

Thanks!

Are you able to see anything in PowerShell logs?

If it uses PowerShell for GroupManagement, I expect to see the "New-UnifiedGroup" command.

This is just my understanding of the process:
1. Driver connected to your "local" Exchange service web app.
2. It provides the right request
https://192.168.100.100:9001/ExchServer/*domain*/Groups?type=UnifiedGroup
3. Based on this info, the Exchange service executes PowerShell commands.
4. New-DistributionGroup is the wrong PowerShell command for UnifiedGroup creation.

Unfortunately it doesn't..
the driver call graph:
<nds dtdversion="4.x" ndsversion="8.x">
<source>
<product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="groups" command="add">
<request method="POST">
<url-token api-version="?api-version=1.6"/>
<header Content-Type="application/json"/>
<value>{"odata.type":"Microsoft.DirectoryServices.Group","displayName":"testazure_ad05"}</value>
</request>
</driver-operation-data>
</input>
</nds>


and the output:
[01/26/21 17:04:10.322]:Azure AD Driver ST:Azure AD Driver_Azure: X-Powered-By: ASP.NET
[01/26/21 17:04:10.322]:Azure AD Driver ST:Azure AD Driver_Azure: Strict-Transport-Security: max-age=31536000; includeSubDomains
[01/26/21 17:04:10.322]:Azure AD Driver ST:Azure AD Driver_Azure: Access-Control-Allow-Origin: *
[01/26/21 17:04:10.323]:Azure AD Driver ST:Azure AD Driver_Azure: Date: Tue, 26 Jan 2021 16:04:10 GMT
[01/26/21 17:04:10.323]:Azure AD Driver ST:Azure AD Driver_Azure: Content-Length: 228
[01/26/21 17:04:10.323]:Azure AD Driver ST:Azure AD Driver_Azure: Sending http response with body :-
[01/26/21 17:04:10.324]:Azure AD Driver ST:Azure AD Driver_Azure: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"A value is required for property 'mailNickname' of resource 'Group'."},"requestId":"6398232b-51ed-4518-b611-418dbe105282","date":"2021-01-26T16:04:10"}}
[01/26/21 17:04:10.325]:Azure AD Driver ST:Azure AD Driver_Azure: **********************END*****************************
[01/26/21 17:04:10.326]:Azure AD Driver ST:Azure AD Driver_Azure: Response code and message: 400 Bad Request
[01/26/21 17:04:10.326]:Azure AD Driver ST:Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
[01/26/21 17:04:10.327]:Azure AD Driver ST:Azure AD Driver: Received response document from subscriber
[01/26/21 17:04:10.328]:Azure AD Driver ST:
<nds dtdversion="3.0">
<source>


because the old graph cannot create o365 groups...
I think there is a bug...don't you?

thanks

Are you able to increase the trace level on the driver and RemoteLoader side? (maybe trace level 10)
I would like to see the exact call that driver doing and where (Graph or Powershell).

From my understanding, group management covered by PowerShell portion of the driver.

Hi,attached the logs...
I'm trying to create an o365 group named testazure_ad05