[midPoint] Provisioning two steps with a delay (Hybrid Exchange)

Radovan Semancik radovan.semancik at evolveum.com
Thu Jun 14 08:33:20 CEST 2018


Hi,

Yes, exactly the same thing can be done. Our AD connector supports 
powershell scripts. And you can also have a custom task. Either use bulk 
task with a script action. Or just create a completely custom 
TaskHandler in Java (e.g. using maven overlay).

However, I think midPoint can be much smarter than OIM here. Is there a 
way how to livesync or reconcile that O365 instance? Maybe you can 
livesync, link the account, then use outbound mapping or provisioning 
scripts to provision the license.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 06/13/2018 10:12 PM, Devin Rosenbauer wrote:
> Good afternoon,
>
> I'm in the training with Ivan and he suggested I sent this off to the 
> mailing list. The situation, which has come up several times in my 
> corporate Oracle IDM projects, is Microsoft's Exchange hybrid 
> installation mode 
> <https://technet.microsoft.com/en-us/library/jj200581%28v=exchg.150%29.aspx>.
>
> An account is created in local Active Directory and flagged as a 
> remote mail user. This is typically done with PowerShell. A scheduled 
> Microsoft process runs on the domain controller (every 30 minutes by 
> default) that creates or updates an Azure AD account and O365 mailbox 
> for remote mail users in the cloud. This process is called DirSync.
>
> /After/ DirSync runs, we need to provision a license for the user in 
> O365. This is done either via the Graph REST API or via another set of 
> PowerShell commands. The license setup cannot be run before DirSync 
> because the user doesn't exist in O365 yet.
>
> Here's how I've resolved this in OIM: After the AD PowerShell 
> commands, I set a flag on the /user/ in OIM to mark them as needing a 
> license. A custom scheduled job (just some Java code) in OIM attempts 
> to provision the license for the each user with the flag set. If the 
> license is successfully added, the user is un-flagged. If the license 
> is NOT successfully added, the user retains the flag and we try again.
>
> Could something like this be done in Midpoint?
>
>
> -- 
> Devin Rosenbauer
> Principal Consultant
> Identity Works LLC
> +1 585 210 3201
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180614/70b725fa/attachment.htm>


More information about the midPoint mailing list