[midPoint] Provisioning two steps with a delay (Hybrid Exchange)
Radovan Semancik
radovan.semancik at evolveum.com
Thu Jun 14 08:33:20 CEST 2018
Hi,
Yes, exactly the same thing can be done. Our AD connector supports
powershell scripts. And you can also have a custom task. Either use bulk
task with a script action. Or just create a completely custom
TaskHandler in Java (e.g. using maven overlay).
However, I think midPoint can be much smarter than OIM here. Is there a
way how to livesync or reconcile that O365 instance? Maybe you can
livesync, link the account, then use outbound mapping or provisioning
scripts to provision the license.
--
Radovan Semancik
Software Architect
evolveum.com
On 06/13/2018 10:12 PM, Devin Rosenbauer wrote:
> Good afternoon,
>
> I'm in the training with Ivan and he suggested I sent this off to the
> mailing list. The situation, which has come up several times in my
> corporate Oracle IDM projects, is Microsoft's Exchange hybrid
> installation mode
> <https://technet.microsoft.com/en-us/library/jj200581%28v=exchg.150%29.aspx>.
>
> An account is created in local Active Directory and flagged as a
> remote mail user. This is typically done with PowerShell. A scheduled
> Microsoft process runs on the domain controller (every 30 minutes by
> default) that creates or updates an Azure AD account and O365 mailbox
> for remote mail users in the cloud. This process is called DirSync.
>
> /After/ DirSync runs, we need to provision a license for the user in
> O365. This is done either via the Graph REST API or via another set of
> PowerShell commands. The license setup cannot be run before DirSync
> because the user doesn't exist in O365 yet.
>
> Here's how I've resolved this in OIM: After the AD PowerShell
> commands, I set a flag on the /user/ in OIM to mark them as needing a
> license. A custom scheduled job (just some Java code) in OIM attempts
> to provision the license for the each user with the flag set. If the
> license is successfully added, the user is un-flagged. If the license
> is NOT successfully added, the user retains the flag and we try again.
>
> Could something like this be done in Midpoint?
>
>
> --
> Devin Rosenbauer
> Principal Consultant
> Identity Works LLC
> +1 585 210 3201
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180614/70b725fa/attachment.htm>
More information about the midPoint
mailing list