[midPoint] Provisioning two steps with a delay (Hybrid Exchange)
Jason Everling
jeverling at bshp.edu
Thu Jun 14 02:34:58 CEST 2018
I had created a powershell script that ran every hour to find unlicensed users in O365 and then activate them with an appropriate license based on ou, group or attribute. Worked this way for many years.
As Davy pointed out, now since Azure AD group based licensing came into the picture that has since gone away. The only thing I didn't realise in the beggining was that it did not work with nested groups, user must be a direct member. It has actually worked out better.
Jason
________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Sylvaire kevin TIPA <sylvaire-kevin.tipa at mythalesgroup.io>
Sent: Wednesday, June 13, 2018 3:28:40 PM
To: midPoint General Discussion
Subject: Re: [midPoint] Provisioning two steps with a delay (Hybrid Exchange)
Hello,
I thinks yes, in my case we generate a certificate for each new user after her creation in AD. That means than the user need to be exist before calling powershell script which will create the certificate.
We use this script under resource balise.
- Operation focus that the script is execute on add user
- And order permit to do this after
<scripts>
<script>
<host>resource</host>
<language>powershell</language>
<argument>
<c:path xsi:type="t:ItemPathType">$user/name</c:path>
<name>identity</name>
</argument>
<code>powershell "D:\midpoint\create-certificate\create-certificate.ps1 $identity"</code>
<operation>add</operation>
<kind>account</kind>
<order>after</order>
</script>
</scripts>
If I remember change log, in last version you have more option for make critical or not the result of this script .
Cordialement,
[cid:8e2f30c3-f5eb-4f4e-aefb-9d083f8a3b45]
Sylvaire-Kevin TIPA
Thales Services / OIC / DevOps Automatisation Infrastructures
…………………………………………………………………………………………
THALES SERVICES SAS
44 Quai Charles de Gaulle
CS 20100
69463 Lyon Cedex 06
…………………………………………………………………………………………
www.thalesgroup.com<http://www.thalesgroup.com/>
De : midPoint [mailto:midpoint-bounces at lists.evolveum.com] De la part de Devin Rosenbauer
Envoyé : mercredi 13 juin 2018 22:12
À : midPoint General Discussion <midpoint at lists.evolveum.com>
Objet : [midPoint] Provisioning two steps with a delay (Hybrid Exchange)
Good afternoon,
I'm in the training with Ivan and he suggested I sent this off to the mailing list. The situation, which has come up several times in my corporate Oracle IDM projects, is Microsoft's Exchange hybrid installation mode<https://technet.microsoft.com/en-us/library/jj200581(v=exchg.150).aspx>.
An account is created in local Active Directory and flagged as a remote mail user. This is typically done with PowerShell. A scheduled Microsoft process runs on the domain controller (every 30 minutes by default) that creates or updates an Azure AD account and O365 mailbox for remote mail users in the cloud. This process is called DirSync.
After DirSync runs, we need to provision a license for the user in O365. This is done either via the Graph REST API or via another set of PowerShell commands. The license setup cannot be run before DirSync because the user doesn't exist in O365 yet.
Here's how I've resolved this in OIM: After the AD PowerShell commands, I set a flag on the user in OIM to mark them as needing a license. A custom scheduled job (just some Java code) in OIM attempts to provision the license for the each user with the flag set. If the license is successfully added, the user is un-flagged. If the license is NOT successfully added, the user retains the flag and we try again.
Could something like this be done in Midpoint?
--
Devin Rosenbauer
Principal Consultant
Identity Works LLC
+1 585 210 3201
This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180614/6641fdc7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6112 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180614/6641fdc7/attachment.png>
More information about the midPoint
mailing list