[midPoint] Provisioning two steps with a delay (Hybrid Exchange)

Davy Priem davy.priem at vives.be
Wed Jun 13 22:20:36 CEST 2018


Good evening here,

Why don’t you use a O36 group to assign the license? You can control this group membership using midpoint and let dirsync sync to the cloud. See https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-assignment-azure-portal

Best regards,
Davy Priem
Coördinator IT technical management

Hogeschool VIVES | Dienst IT
Doorniksesteenweg 145 | 8500 Kortrijk
tel.          + 32 56 27 05 61
e-mail     davy.priem at vives.be<mailto:davy.priem at vives.be>

[cid:image001.png at 01D3B235.4487FD10]

Op 13 jun. 2018, om 22:12 heeft Devin Rosenbauer <devin at identityworksllc.com<mailto:devin at identityworksllc.com>> het volgende geschreven:

Good afternoon,

I'm in the training with Ivan and he suggested I sent this off to the mailing list. The situation, which has come up several times in my corporate Oracle IDM projects, is Microsoft's Exchange hybrid installation mode<https://technet.microsoft.com/en-us/library/jj200581(v=exchg.150).aspx>.

An account is created in local Active Directory and flagged as a remote mail user. This is typically done with PowerShell. A scheduled Microsoft process runs on the domain controller (every 30 minutes by default) that creates or updates an Azure AD account and O365 mailbox for remote mail users in the cloud. This process is called DirSync.

After DirSync runs, we need to provision a license for the user in O365. This is done either via the Graph REST API or via another set of PowerShell commands. The license setup cannot be run before DirSync because the user doesn't exist in O365 yet.

Here's how I've resolved this in OIM: After the AD PowerShell commands, I set a flag on the user in OIM to mark them as needing a license. A custom scheduled job (just some Java code) in OIM attempts to provision the license for the each user with the flag set. If the license is successfully added, the user is un-flagged. If the license is NOT successfully added, the user retains the flag and we try again.

Could something like this be done in Midpoint?


--
Devin Rosenbauer
Principal Consultant
Identity Works LLC
+1 585 210 3201
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180613/cebe7313/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1384 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180613/cebe7313/attachment.png>


More information about the midPoint mailing list