[midPoint] Provisioning two steps with a delay (Hybrid Exchange)

Thu Jun 14 16:58:59 CEST 2018

Thanks for the responses, everyone!

That's a good idea, to use the LiveSync against O365. The trouble is that
as far as the Exchange system is concerned, the cloud and on-premises
accounts are one single account in two places. That may not be the best way
to manage those in an identity manager though.

I do like the idea of using the group-based license sync. However, in
practice I've found that feature to be still quite buggy. It's a very new
feature. Licenses are sometimes not assigned when the group synchronization
happens. There can be a considerable delay before Microsoft reprocesses and
there's no clear indication that it's finished.

There's a second use case, though, for which the group-based sync won't
work. Some clients require that we also set some other attributes on the
Mailbox (in the cloud, after dirsync), such as retention policy. You can
set up defaults for these in O365, but they prefer different settings for
different users. They're also assigning access rights on the mailbox to a
data-loss prevention type system. I don't know if there's a way to do this
in Azure directly, but that's not been the case at our other installations.

On Thu, Jun 14, 2018 at 2:33 AM, Radovan Semancik <
radovan.semancik at evolveum.com> wrote:

> Hi,
>
> Yes, exactly the same thing can be done. Our AD connector supports
> powershell scripts. And you can also have a custom task. Either use bulk
> task with a script action. Or just create a completely custom TaskHandler
> in Java (e.g. using maven overlay).
>
> However, I think midPoint can be much smarter than OIM here. Is there a
> way how to livesync or reconcile that O365 instance? Maybe you can
> livesync, link the account, then use outbound mapping or provisioning
> scripts to provision the license.
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
>
> On 06/13/2018 10:12 PM, Devin Rosenbauer wrote:
>
> Good afternoon,
>
> I'm in the training with Ivan and he suggested I sent this off to the
> mailing list. The situation, which has come up several times in my
> corporate Oracle IDM projects, is Microsoft's Exchange hybrid
> installation mode
> <https://technet.microsoft.com/en-us/library/jj200581%28v=exchg.150%29.aspx>
> .
>
> An account is created in local Active Directory and flagged as a remote
> mail user. This is typically done with PowerShell. A scheduled Microsoft
> process runs on the domain controller (every 30 minutes by default) that
> creates or updates an Azure AD account and O365 mailbox for remote mail
> users in the cloud. This process is called DirSync.
>
> *After* DirSync runs, we need to provision a license for the user in
> O365. This is done either via the Graph REST API or via another set of
> PowerShell commands. The license setup cannot be run before DirSync because
> the user doesn't exist in O365 yet.
>
> Here's how I've resolved this in OIM: After the AD PowerShell commands, I
> set a flag on the *user* in OIM to mark them as needing a license. A
> custom scheduled job (just some Java code) in OIM attempts to provision the
> license for the each user with the flag set. If the license is successfully
> added, the user is un-flagged. If the license is NOT successfully added,
> the user retains the flag and we try again.
>
> Could something like this be done in Midpoint?
>
>
> --
> Devin Rosenbauer
> Principal Consultant
> Identity Works LLC
> +1 585 210 3201
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 
Devin Rosenbauer
Principal Consultant
Identity Works LLC
+1 585 210 3201
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180614/703f089e/attachment.htm>