Lieutenant Commander
Lieutenant Commander
1919 views

AzureAD driver doesn't create distribution group

Hi,

IDM 4.7.3
IDM Driver for Azure AD and Office 365 5.1.2(Hybrid mode = false)

I'm trying to create distribution groups in AzureAD with the AzureAD driver. But does not succeed.

The log file from the RemoteLoader instance provides too little information for me to troubleshoot. Although the log level is set to 10.  The output from the shim is  saying success but not no groups is created in Azure. See attached azure-Trace-snip.txt for RL-trace details.

Since the Microsoft graph api does not support creating distribution groups, my expectation was that this would be done via the IDM Exchange Online service. But nothing appears in it's trace.

Do you have any suggestions on what I could troubleshoot or what could be the problem?

Thanks a lot.

Martin

17 Replies
Commander
Commander

Hi,

Afaik the Azure driver only uses the graph API to create groups, so I think the only options are M365 groups or security groups that are not mail-enabled, unless you do something custom with exchange powershell.

Syncing group members seems to be working fine even for mail-enabled groups since that is handled by the exchange powershell service.

In your trace you have mail-enabled set to false, but you still provide an email address. Does it work if you don't include it?

Still, I think you should be seeing much more going on in the RL trace. I've included traces from the driver I'm developing at the moment if you want to compare.

Regards,
Philip

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

According to documentation, AzureAD driver supports Distribution Group

https://www.netiq.com/documentation/identity-manager-48-drivers/msazure_ad/data/driver-features.html

The following Exchange groups can be added through the Subscriber channel:
Distribution Group
Security Group
Office 365 Group
Knowledge Partner Knowledge Partner
Knowledge Partner

Did you inject the object type "Distribution", when you tried to create this distribution group object?

Object type specified in DirXML-AADObjectType attribute

DirXML-AADObjectType: Contains the type for a user or a group object.
Name                              Description
UserMailbox               Creates a mailbox user in Exchange Online
MailUser                       Creates a mail user in Exchange Online
Distribution                Creates a distribution group in Exchange Online
Security                        Creates a security group in Exchange Online
UnifiedGroup             Creates a Office 365 group in Exchange Online

https://www.netiq.com/documentation/identity-manager-47-drivers/msazure_ad/data/understanding-identity-manager-exchange-service.html

Knowledge Partner Knowledge Partner
Knowledge Partner

I can't see DirXML-AADObjectType in your trace

0 Likes
Commander
Commander

Hi,

My mistake, I had just assumed the group creation was all handled by graph and so I was following the microsoft docs https://docs.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0 .

I guess maybe the shim uses different API:s depending on the object type? When trying to create a distribution list without it I get an error saying that email cannot be enabled, but when I add the object type to the operation I get the same behavior as Martin (the value doesn't seem to matter). But I've done quite a lot of modifications so there's probably something else missing.

For me it's fine though, my customer was ok with only creating security groups. But it's good to know that it should be possible, thank you!

Ensign
Ensign

Hi,

I also have issues with this. I'm able to create Distribution List groups by setting DirXML-AADObjectType, but i am not able to create O365 groups, by setting the value to "UnifiedGroup". 

I am getting a successful response in the driver trace and the exchange log produces this:

[12/16/2020 13:09:41.416]*domain* – https://192.168.100.100:9001/ExchServer/*domain*/Groups?type=UnifiedGroup
[12/16/2020 13:09:41.416] *domain*– Invoking: New-DistributionGroup
DisplayName: Computing - DL
Name: Computing - DL
Type: UnifiedGroup
Notes: Computing - DL

And then it ends.

Are there additional attributes or configurations necessary for unified groups? I see that it uses the "New-DistributionGroup" cmdlet, which is limited to Distribution and Security groups. Can i make the exchange service do it differently?

 

Thanks!

Knowledge Partner Knowledge Partner
Knowledge Partner

Are you able to see anything in PowerShell logs?
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

If it uses PowerShell for GroupManagement, I expect to see the "New-UnifiedGroup" command.

This is just my understanding of the process:
1. Driver connected to your "local" Exchange service web app.
2. It provides the right request
https://192.168.100.100:9001/ExchServer/*domain*/Groups?type=UnifiedGroup
3. Based on this info, the Exchange service executes PowerShell commands.
4. New-DistributionGroup is the wrong PowerShell command for UnifiedGroup creation.

0 Likes
Commander
Commander

Unfortunately it doesn't..
the driver call graph:
<nds dtdversion="4.x" ndsversion="8.x">
<source>
<product version="5.1.0.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<driver-operation-data class-name="groups" command="add">
<request method="POST">
<url-token api-version="?api-version=1.6"/>
<header Content-Type="application/json"/>
<value>{"odata.type":"Microsoft.DirectoryServices.Group","displayName":"testazure_ad05"}</value>
</request>
</driver-operation-data>
</input>
</nds>


and the output:
[01/26/21 17:04:10.322]:Azure AD Driver ST:Azure AD Driver_Azure: X-Powered-By: ASP.NET
[01/26/21 17:04:10.322]:Azure AD Driver ST:Azure AD Driver_Azure: Strict-Transport-Security: max-age=31536000; includeSubDomains
[01/26/21 17:04:10.322]:Azure AD Driver ST:Azure AD Driver_Azure: Access-Control-Allow-Origin: *
[01/26/21 17:04:10.323]:Azure AD Driver ST:Azure AD Driver_Azure: Date: Tue, 26 Jan 2021 16:04:10 GMT
[01/26/21 17:04:10.323]:Azure AD Driver ST:Azure AD Driver_Azure: Content-Length: 228
[01/26/21 17:04:10.323]:Azure AD Driver ST:Azure AD Driver_Azure: Sending http response with body :-
[01/26/21 17:04:10.324]:Azure AD Driver ST:Azure AD Driver_Azure: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"A value is required for property 'mailNickname' of resource 'Group'."},"requestId":"6398232b-51ed-4518-b611-418dbe105282","date":"2021-01-26T16:04:10"}}
[01/26/21 17:04:10.325]:Azure AD Driver ST:Azure AD Driver_Azure: **********************END*****************************
[01/26/21 17:04:10.326]:Azure AD Driver ST:Azure AD Driver_Azure: Response code and message: 400 Bad Request
[01/26/21 17:04:10.326]:Azure AD Driver ST:Azure AD Driver_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
[01/26/21 17:04:10.327]:Azure AD Driver ST:Azure AD Driver: Received response document from subscriber
[01/26/21 17:04:10.328]:Azure AD Driver ST:
<nds dtdversion="3.0">
<source>


because the old graph cannot create o365 groups...
I think there is a bug...don't you?

thanks
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Are you able to increase the trace level on the driver and RemoteLoader side? (maybe trace level 10)
I would like to see the exact call that driver doing and where (Graph or Powershell).

From my understanding, group management covered by PowerShell portion of the driver.
0 Likes
Commander
Commander

Hi,attached the logs...
I'm trying to create an o365 group named testazure_ad05



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.