1.3 Driver Features

The Azure AD driver supports the following features:

1.3.1 Supported Operations

By default, the Azure AD driver synchronizes user and group objects, and Exchange mailboxes. You can customize the driver to synchronize additional classes and attributes.The driver supports the following operations on the Publisher channel:

  • Add, Modify, Delete, and Query operations.

  • Migrate operation only through Azure AD attributes. Exchange attributes are not supported for migration.

The following Exchange groups can be added through the Publisher channel:

  • Office 365 Group

  • Distribution Group

  • Security Group

NOTE:You need to write a policy to set a value for Equivalent to Me while modifying a group membership.

The driver supports the following operations on the Subscriber channel:

  • Add, Modify, Delete, Migrate, and Query operations on users and groups.

  • Add or delete licenses only on user objects.

  • Set or reset a password only on user objects.

  • Execute PowerShell cmdlets using policies.

  • Assign or revoke roles and licenses in hybrid mode.

The following Exchange groups can be added through the Subscriber channel:

  • Distribution Group

  • Security Group

1.3.2 Schema Extension

The Azure AD driver allows you to extend the Azure AD schema to include different types of attributes such as Integer, Boolean, and String using the driver parameters. For example, you can add, remove, or change extension attributes on a user or a group class with the allowed attribute types. For more information, see the Microsoft website.

1.3.3 License Handling

In the Office 365 driver, you created custom licenses to disable specific service plans. For example, to disable Office 365 ProPlus from your enterprise plan, you specified this string in the driver configuration. OFFICESUBSCRIPTION. For more information, see the NetIQ Identity Manager Driver for Office 365 Implementation Guide.

In the Azure AD driver, license handling is simplified. The driver lists all the available service plans for your subscription in Catalog Administrator. Each service plan can be individually assigned or revoked for a user through the License Entitlement resource. For example, if you want to assign only Office 365 ProPlus to a user, select OFFICESUBSCRIPTION from the list of service plans. The driver also supports assigning or revoking multiple plans to a user.

1.3.4 Hybrid Mode

The following figure shows the hybrid mode deployment scenario:

In this deployment, Azure AD Connect integrates on-premise Active Directory with Azure Active Directory. Azure Active Directory does not allow modifications on user and group objects that were synchronized through Azure AD Connect. However, it allows you to provision roles and licenses to the users. To accomplish this, you must deploy an Azure AD driver in hybrid mode. To synchronize identities from the Identity Vault to on-premise Active Directory, you must have an AD driver in your environment.

NOTE:Driver version 5.0.1 supports group membership entitlement and exchange role entitlement in a hybrid mode. For more information, see What’s New in Version 5.0.1.

To provision roles and licenses, set the driver to hybrid mode in Designer or iManager. For more information, see Configuring the Driver.

The driver performs the following actions when operating in a hybrid mode:

  • When a user is provisioned to AD through AD driver's user account entitlements and the user is synchronized to Azure AD through Azure AD Connect, the driver updates the user association in the Identity Vault.

  • When a user is deleted from Azure AD, the driver removes the association for the user from the Identity Vault.

  • When a user is granted or revoked roles or licenses through entitlements, the driver grants or revokes roles or licenses after an association is created for the user.

  • When an account entitlement is revoked for a user in AD, the driver removes the association for the user from the Identity Vault.

NOTE:You cannot add users, delete users, and modify user attributes through the publisher channel when you operate the Azure AD driver in hybrid mode. However, the Azure AD driver will update the associations accordingly.

In hybrid mode, the AD driver's account tracking takes precedence over Azure AD driver. The password synchronization to the Identity Vault is handled by AD driver in hybrid mode.

1.3.5 Entitlements

The Azure AD driver supports entitlements. By default, it supports UserAccount, Group, Licenses, and Roles entitlements.

When using entitlements, an action such as provisioning an account in the target directory is delayed until the proper approvals have been made. In Role-Based Services, rights assignments are made based on attributes of a user object. Entitlements standardize a method of recording this information on objects in the Identity Vault. From the driver perspective, an entitlement grants or revokes the right to resources in Azure AD. You can use entitlements to grant the rights to an account in Azure AD, to control group membership, roles, and licenses.