[midPoint] Provisioning two steps with a delay (Hybrid Exchange)
Devin Rosenbauer
devin at identityworksllc.com
Wed Jun 13 22:12:03 CEST 2018
Good afternoon,
I'm in the training with Ivan and he suggested I sent this off to the
mailing list. The situation, which has come up several times in my
corporate Oracle IDM projects, is Microsoft's Exchange hybrid installation
mode
<https://technet.microsoft.com/en-us/library/jj200581(v=exchg.150).aspx>.
An account is created in local Active Directory and flagged as a remote
mail user. This is typically done with PowerShell. A scheduled Microsoft
process runs on the domain controller (every 30 minutes by default) that
creates or updates an Azure AD account and O365 mailbox for remote mail
users in the cloud. This process is called DirSync.
*After* DirSync runs, we need to provision a license for the user in O365.
This is done either via the Graph REST API or via another set of PowerShell
commands. The license setup cannot be run before DirSync because the user
doesn't exist in O365 yet.
Here's how I've resolved this in OIM: After the AD PowerShell commands, I
set a flag on the *user* in OIM to mark them as needing a license. A custom
scheduled job (just some Java code) in OIM attempts to provision the
license for the each user with the flag set. If the license is successfully
added, the user is un-flagged. If the license is NOT successfully added,
the user retains the flag and we try again.
Could something like this be done in Midpoint?
--
Devin Rosenbauer
Principal Consultant
Identity Works LLC
+1 585 210 3201
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180613/6908ead2/attachment.htm>
More information about the midPoint
mailing list