ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins.Read more for important details.
Knowledge Partner Knowledge Partner
Knowledge Partner
515 views

AzureAD shim filtering out ServerLegacyDN attribute

I'm using AzureAD driver 5.1.3 and there is a log entry in remote loader trace that I do not understand.

I'm trying to read ServerLegacyDN (DirXML-AADLegacyExchangeDN) from AzureAD.

Query is sent to remote loader and in trace I can see that query should be executed:

DirXML: [03/08/21 15:06:02.96]: TRACE:  Remote Loader: Received command: SUBSCRIBER EXECUTE(4).
DirXML: [03/08/21 15:06:02.96]: TRACE:  Remote Loader: Calling SubscriptionShim.execute()
DirXML: [03/08/21 15:06:02.96]: TRACE:  <nds dtdversion="2.0">
	<input>
		<query class-name="User" event-id="0" scope="entry">
			<association>fd53c74c-86b3-4509-9bec-5a26fe6017c4</association>
			<read-attr attr-name="ServerLegacyDN"/>
		</query>
	</input>
</nds>
DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD: AZSubscriber.execute()

But right after that I see following in RL trace:

DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD: QueryHandler: Filtering out read attribute 'ServerLegacyDN' for class User.

 

I assume that since attribute is filtered out, there is no query to Exchange service, so attribute is  not returned:

DirXML: [03/08/21 15:06:03.06]: TRACE:  <nds dtdversion="2.0" ndsversion="8.x">
	<source>
		<product build="20200922_0411" instance="AzureAD" version="5.1.3.0">Identity Manager Driver for Azure AD and Office 365</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<output>
		<instance class-name="User" event-id="0" src-dn="user@domain.com">
			<association state="associated">fd53c74c-86b3-4509-9bec-5a26fe6017c4</association>
		</instance>
		<status event-id="0" level="success"/>
	</output>
</nds>

 

So I have repeated same steps, but with this time with ArchiveStatus (DirXML-AADArchiveStatus). It looks like attribute is not filtered by shim and I can see that query is sent also to Exchange service. After that, ArchiveStatus attribute is properly returned:

DirXML: [03/08/21 15:05:00.89]: TRACE:  <nds dtdversion="2.0" ndsversion="8.x">
	<source>
		<product build="20200922_0411" instance="AzureAD" version="5.1.3.0">Identity Manager Driver for Azure AD and Office 365</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<output>
		<instance class-name="User" event-id="0" src-dn="user@domain.com">
			<association state="associated">fd53c74c-86b3-4509-9bec-5a26fe6017c4</association>
			<attr attr-name="ArchiveStatus">
				<value>None</value>
			</attr>
		</instance>
		<status event-id="0" level="success"/>
	</output>
</nds>

Please note that both DirXML-AADArchiveStatus and DirXML-AADLegacyExchangeDN attributes are in driver's filter (publisher: synchronize, subscriber: ignore)

One more observation. When driver shim is querying for ArchiveStatus, I can see that ServerLegacyDN is set on the user.

 

Question: Why do I get "AzureAD: QueryHandler: Filtering out read attribute 'ServerLegacyDN' for class User."?

 

RL trace when querying for ServerLegacyDN:

DirXML: [03/08/21 15:06:02.96]: TRACE:  Remote Loader: Received
DirXML: [03/08/21 15:06:02.96]: TRACE:  <nds dtdversion="2.0">
	<input>
		<query class-name="User" event-id="0" scope="entry">
			<association>fd53c74c-86b3-4509-9bec-5a26fe6017c4</association>
			<read-attr attr-name="ServerLegacyDN"/>
		</query>
	</input>
</nds>
DirXML: [03/08/21 15:06:02.96]: TRACE:  Remote Loader: Received command: SUBSCRIBER EXECUTE(4).
DirXML: [03/08/21 15:06:02.96]: TRACE:  Remote Loader: Calling SubscriptionShim.execute()
DirXML: [03/08/21 15:06:02.96]: TRACE:  <nds dtdversion="2.0">
	<input>
		<query class-name="User" event-id="0" scope="entry">
			<association>fd53c74c-86b3-4509-9bec-5a26fe6017c4</association>
			<read-attr attr-name="ServerLegacyDN"/>
		</query>
	</input>
</nds>
DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD: AZSubscriber.execute()
DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD: QueryHandler: Filtering out read attribute 'ServerLegacyDN' for class User.
DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD: Processing query 
DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD: Sending command document to subscriber
DirXML: [03/08/21 15:06:02.96]: TRACE:  <nds dtdversion="4.x" ndsversion="8.x">
	<source>
		<product version="5.1.3.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<input>
		<driver-operation-data class-name="users" command="query">
			<request method="GET">
				<url-token api-version="?api-version=1.6" association="fd53c74c-86b3-4509-9bec-5a26fe6017c4"/>
				<header Content-Type="application/json"/>
				<value/>
			</request>
		</driver-operation-data>
	</input>
</nds>
DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD_Azure: sub-execute
DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberRequest()
DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD_Azure: queryHandler
DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD_Azure: queryHandler: class-name  == 'users'
DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD_Azure: Query: preparing GET to https://graph.windows.net/domain.onmicrosoft.com/users/fd53c74c-86b3-4509-9bec-5a26fe6017c4?api-version=1.6
DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD_Azure: Resetting headers
DirXML: [03/08/21 15:06:02.96]: TRACE:  AzureAD_Azure: Setting the following HTTP request properties:
 Authorization: <content suppressed>
DirXML: [03/08/21 15:06:02.97]: TRACE:  AzureAD_Azure:  Content-Type:application/json
DirXML: [03/08/21 15:06:02.97]: TRACE:  AzureAD_Azure: OAuth2: Token is valid.
DirXML: [03/08/21 15:06:02.97]: TRACE:  AzureAD_Azure: OAuth2: Token is valid.
DirXML: [03/08/21 15:06:02.97]: TRACE:  AzureAD_Azure: Did a HTTP GET with 0 bytes of data to https://graph.windows.net/domain.onmicrosoft.com/users/fd53c74c-86b3-4509-9bec-5a26fe6017c4?api-version=1.6
DirXML: [03/08/21 15:06:03.06]: TRACE:  AzureAD_Azure: Response code and message: 200 OK
DirXML: [03/08/21 15:06:03.06]: TRACE:  AzureAD_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
DirXML: [03/08/21 15:06:03.06]: TRACE:  AzureAD: Received response document from subscriber
DirXML: [03/08/21 15:06:03.06]: TRACE:  <nds dtdversion="3.0">
	<source>
		<product build="20181130_1107" version="1.0.2.0">Identity Manager REST Driver</product>
		<contact>NetIQ Corporation.</contact>
	</source>
	<output>
		<status level="success" type="driver-general">
			<driver-operation-data class-name="users" command="query" dest-dn="">
				<response method="GET">
					<url-token api-version="?api-version=1.6" association="fd53c74c-86b3-4509-9bec-5a26fe6017c4"/>
					<header Content-Type="application/json"/>
					<value message="OK" status="200">{"odata.metadata":"https://graph.windows.net/domain.onmicrosoft.com/$metadata#directoryObjects/@Element","odata.type":"Microsoft.DirectoryServices.User","objectType":"User","objectId":"fd53c74c-86b3-4509-9bec-5a26fe6017c4",...graph API user attributes...,"userPrincipalName":"user@domain.com","userState":null,"userStateChangedOn":null,"userType":"Member"}</value>
				</response>
			</driver-operation-data>
		</status>
	</output>
</nds>
DirXML: [03/08/21 15:06:03.06]: TRACE:  Remote Loader: SubscriptionShim.execute() returned:
DirXML: [03/08/21 15:06:03.06]: TRACE:  <nds dtdversion="2.0" ndsversion="8.x">
	<source>
		<product build="20200922_0411" instance="AzureAD" version="5.1.3.0">Identity Manager Driver for Azure AD and Office 365</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<output>
		<instance class-name="User" event-id="0" src-dn="user@domain.com">
			<association state="associated">fd53c74c-86b3-4509-9bec-5a26fe6017c4</association>
		</instance>
		<status event-id="0" level="success"/>
	</output>
</nds>

 

RL trace when querying for ArchiveStatus:

DirXML: [03/08/21 15:04:59.42]: TRACE:  Remote Loader: Received
DirXML: [03/08/21 15:04:59.42]: TRACE:  <nds dtdversion="2.0">
	<input>
		<query class-name="User" event-id="0" scope="entry">
			<association>fd53c74c-86b3-4509-9bec-5a26fe6017c4</association>
			<read-attr attr-name="ArchiveStatus"/>
		</query>
	</input>
</nds>
DirXML: [03/08/21 15:04:59.42]: TRACE:  Remote Loader: Received command: SUBSCRIBER EXECUTE(4).
DirXML: [03/08/21 15:04:59.42]: TRACE:  Remote Loader: Calling SubscriptionShim.execute()
DirXML: [03/08/21 15:04:59.42]: TRACE:  <nds dtdversion="2.0">
	<input>
		<query class-name="User" event-id="0" scope="entry">
			<association>fd53c74c-86b3-4509-9bec-5a26fe6017c4</association>
			<read-attr attr-name="ArchiveStatus"/>
		</query>
	</input>
</nds>
DirXML: [03/08/21 15:04:59.42]: TRACE:  AzureAD: AZSubscriber.execute()
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD: Processing query 
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD: Sending command document to subscriber
DirXML: [03/08/21 15:04:59.43]: TRACE:  <nds dtdversion="4.x" ndsversion="8.x">
	<source>
		<product version="5.1.3.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<input>
		<driver-operation-data class-name="users" command="query">
			<request method="GET">
				<url-token api-version="?api-version=1.6" association="fd53c74c-86b3-4509-9bec-5a26fe6017c4"/>
				<header Content-Type="application/json"/>
				<value/>
			</request>
		</driver-operation-data>
	</input>
</nds>
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD_Azure: sub-execute
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberRequest()
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD_Azure: queryHandler
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD_Azure: queryHandler: class-name  == 'users'
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD_Azure: Query: preparing GET to https://graph.windows.net/domain.onmicrosoft.com/users/fd53c74c-86b3-4509-9bec-5a26fe6017c4?api-version=1.6
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD_Azure: Resetting headers
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD_Azure: Setting the following HTTP request properties:
 Authorization: <content suppressed>
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD_Azure:  Content-Type:application/json
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD_Azure: OAuth2: Token is valid.
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD_Azure: OAuth2: Token is valid.
DirXML: [03/08/21 15:04:59.43]: TRACE:  AzureAD_Azure: Did a HTTP GET with 0 bytes of data to https://graph.windows.net/domain.onmicrosoft.com/users/fd53c74c-86b3-4509-9bec-5a26fe6017c4?api-version=1.6
DirXML: [03/08/21 15:04:59.61]: TRACE:  AzureAD_Azure: Response code and message: 200 OK
DirXML: [03/08/21 15:04:59.61]: TRACE:  AzureAD_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
DirXML: [03/08/21 15:04:59.61]: TRACE:  AzureAD: Received response document from subscriber
DirXML: [03/08/21 15:04:59.61]: TRACE:  <nds dtdversion="3.0">
	<source>
		<product build="20181130_1107" version="1.0.2.0">Identity Manager REST Driver</product>
		<contact>NetIQ Corporation.</contact>
	</source>
	<output>
		<status level="success" type="driver-general">
			<driver-operation-data class-name="users" command="query" dest-dn="">
				<response method="GET">
					<url-token api-version="?api-version=1.6" association="fd53c74c-86b3-4509-9bec-5a26fe6017c4"/>
					<header Content-Type="application/json"/>
					<value message="OK" status="200">{"odata.metadata":"https://graph.windows.net/domain.onmicrosoft.com/$metadata#directoryObjects/@Element","odata.type":"Microsoft.DirectoryServices.User","objectType":"User","objectId":"fd53c74c-86b3-4509-9bec-5a26fe6017c4",...graph API user attributes...,"userPrincipalName":"user@domain.com","userState":null,"userStateChangedOn":null,"userType":"Member"}</value>
				</response>
			</driver-operation-data>
		</status>
	</output>
</nds>
DirXML: [03/08/21 15:04:59.62]: TRACE:  AzureAD: Sending command document to subscriber
DirXML: [03/08/21 15:04:59.62]: TRACE:  <nds dtdversion="4.x" ndsversion="8.x">
	<source>
		<product version="5.1.3.0">NetIQ Identity Manager Driver for Azure AD and Office365</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<input>
		<driver-operation-data class-name="Users" command="query">
			<request method="GET">
				<url-token association="fd53c74c-86b3-4509-9bec-5a26fe6017c4"/>
				<header Content-Type="application/json"/>
				<value/>
			</request>
		</driver-operation-data>
	</input>
</nds>
DirXML: [03/08/21 15:04:59.62]: TRACE:  AzureAD_Exchange: sub-execute
DirXML: [03/08/21 15:04:59.62]: TRACE:  AzureAD_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberRequest()
DirXML: [03/08/21 15:04:59.62]: TRACE:  AzureAD_Exchange: queryHandler
DirXML: [03/08/21 15:04:59.62]: TRACE:  AzureAD_Exchange: queryHandler: class-name  == 'Users'
DirXML: [03/08/21 15:04:59.62]: TRACE:  AzureAD_Exchange: Query: preparing GET to https://127.0.0.1:9001/ExchServer/domain.onmicrosoft.com/Users/fd53c74c-86b3-4509-9bec-5a26fe6017c4
DirXML: [03/08/21 15:04:59.62]: TRACE:  AzureAD_Exchange: Resetting headers
DirXML: [03/08/21 15:04:59.62]: TRACE:  AzureAD_Exchange: Setting the following HTTP request properties:
 Authorization: <content suppressed>
DirXML: [03/08/21 15:04:59.62]: TRACE:  AzureAD_Exchange:  Content-Type:application/json
DirXML: [03/08/21 15:04:59.62]: TRACE:  AzureAD_Exchange: Did a HTTP GET with 0 bytes of data to https://127.0.0.1:9001/ExchServer/domain.onmicrosoft.com/Users/fd53c74c-86b3-4509-9bec-5a26fe6017c4
DirXML: [03/08/21 15:05:00.67]: TRACE:  Remote Loader: Connection monitor thread waking up.
DirXML: [03/08/21 15:05:00.67]: TRACE:  Remote Loader: Connection monitor thread going to sleep.
DirXML: [03/08/21 15:05:00.88]: TRACE:  AzureAD_Exchange: Response code and message: 200 OK
DirXML: [03/08/21 15:05:00.88]: TRACE:  AzureAD_Exchange: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.ExchangeAPIExtension.modifySubscriberResponse()
DirXML: [03/08/21 15:05:00.88]: TRACE:  AzureAD: Received response document from subscriber
DirXML: [03/08/21 15:05:00.89]: TRACE:  <nds dtdversion="3.0">
	<source>
		<product build="20181130_1107" version="1.0.2.0">Identity Manager REST Driver</product>
		<contact>NetIQ Corporation.</contact>
	</source>
	<output>
		<status level="success" type="driver-general">
			<driver-operation-data class-name="Users" command="query" dest-dn="">
				<response method="GET">
					<url-token association="fd53c74c-86b3-4509-9bec-5a26fe6017c4"/>
					<header Content-Type="application/json"/>
					<value message="OK" status="200">{"Name":"user","objectId":"fd53c74c-86b3-4509-9bec-5a26fe6017c4","Alias":"user","DisplayName":"displayName","DynamicProperties":[{"Key":"IsSecurityPrincipal","Value":true},
						...a lot of key/value pairs...,
						{"Key":"ServerLegacyDN","Value":"/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=HE1P195MB0313"},
						...some more key/value pairs...,
						{"Key":"ArchiveStatus","Value":"None"},
						...and some more key/value pairs...],...other Exchange Attributes...,"UserPrincipalName":"user"}</value>
				</response>
			</driver-operation-data>
		</status>
	</output>
</nds>
DirXML: [03/08/21 15:05:00.89]: TRACE:  Remote Loader: SubscriptionShim.execute() returned:
DirXML: [03/08/21 15:05:00.89]: TRACE:  <nds dtdversion="2.0" ndsversion="8.x">
	<source>
		<product build="20200922_0411" instance="AzureAD" version="5.1.3.0">Identity Manager Driver for Azure AD and Office 365</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<output>
		<instance class-name="User" event-id="0" src-dn="user@domain.com">
			<association state="associated">fd53c74c-86b3-4509-9bec-5a26fe6017c4</association>
			<attr attr-name="ArchiveStatus">
				<value>None</value>
			</attr>
		</instance>
		<status event-id="0" level="success"/>
	</output>
</nds>
Labels (1)
7 Replies
Commodore
Commodore

Hi,
this might not be your problem, but I had the same problem with a different attribute, it turned out it was filtered out because of a different case-notation (depreciated Office365 driver had different capital-notation than new AzureAD - I was migrating from Office365 to AzureAD).
I can see in Microsoft's documentation your notation is correct but perhaps mine was also (did not bother to check since it was working after). I found out the correct notation by checking existing policies in the new driver.
If anyone wants to know the attribute was "immutable" something as I know there are at least two immutable attributes, so I rather not guess.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

ImmutableId changed case because in your old system you were referring to attribute using PowerShell (ExchangeOnline schema) and in new system using graph API (AzureAD schema). This is also described here:

https://www.netiq.com/documentation/identity-manager-48-drivers/msazure_ad/data/data-transfer-between-systems.html

The Exchange schema uses a different casing than the Azure AD schema where the first character of an Exchange schema attribute is uppercase, which is lowercase in Azure AD schema.

In my case I am using ExchangeOnline attribute. Also I have not changed default AzureAD driver schema mapping, so attribute name is unchanged.

 

Knowledge Partner Knowledge Partner
Knowledge Partner

Could this be an option that is only supported when driver is in Hybrid mode?

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Interesting question. I have just checked some other customer, running AzureAd in hybrid mode (almost no customizations of driver) and there is no DirXML-AADLegacyExchangeDN values on users.

Knowledge Partner Knowledge Partner
Knowledge Partner

Information about ServerLegacyDN here, just "excluded" from "small" list of attributes returned by PowerShell command "by default"

RecipientTypeDetails : UserMailbox
SamAccountName : admin547592075647085
ServerLegacyDN : /o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=YTOPR0101MB162
ServerName : ytopr0101mb162

Without special parameter in the query, EXO return info only 12 attributes from available 108

Knowledge Partner Knowledge Partner
Knowledge Partner

@al_b am aware of the new parameter set behaviour in the Get-EXOMailbox cmdlet.

However was pretty sure that Micro Focus has just adapted auth to use the new AppID mechanism and the new ExchangeOnline v2 module. When it comes to actual cmdlets, I believe that Micro Focus is still using the Get-Mailbox cmdlet and that cmdlet still works the same way as it did before.

The various property sets in the new cmdlet are defined here. Property sets in Exchange Online PowerShell V2 cmdlets | Microsoft Docs and yes, ServerLegacyDN is part of that minimum/default property set.

My understanding was that *-EXO* cmdlets are supposed to be entirely opt-in. Existing scripts should continue to run as they did before against the older cmdlet. 

However I believe there is something to that which you are saying as there is some filtering that is occurring during startup where the shim queries for a list of querieable properties for this cmdlet. That list is used to determine what should be queried via GraphAPI and what should be queried via out later

That specific response list lacks ServerLegacyDN and that is why the shim later filters this out. This seems to me to be a bug.

Much of the above information is directly from discovery collected by @Sebastijan -  so all kudos should go to him.

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Knowledge Partner Knowledge Partner
Knowledge Partner

As @Alex McHugh mentioned, as part of driver startup, shim does a call to exchange service for schema:

https://127.0.0.1:9001/ExchServer/<domain>.onmicrosoft.com/schema

Exchange service then probably queries for a list of querieable properties for supported cmdlet (approx. 30) and returns that to shim.

I *assume* that ServerLegacyDN is filtered by shim because it is not returned in exchange service schema json. (returned json attached)

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.