1.1 Understanding How the Driver Works

The following figure shows the data flow between Identity Manager and the Azure AD driver:

Azure AD Driver

The Azure AD driver allows you to seamlessly provision and deprovision users, group memberships, exchange mailboxes, roles, and licenses to Azure AD (cloud). The driver synchronizes the user identity information between the Identity Vault and Azure AD and keeps this information consistent at all times.

Identity Manager Service for Exchange Online

The Azure AD driver uses the Identity Manager Exchange Service to provision or deprovision user mailboxes, mail users, create or remove distribution lists and security groups on Office 365 Exchange Online. For more information on configuring the service, see Section 7.0, Understanding Identity Manager Exchange Service.

PowerShell

The Azure AD driver uses PowerShell for executing Exchange operations such as creation of Exchange mailbox, mail users, and groups.

Internet Protocols

The Azure AD driver uses the following Internet protocols to exchange data between Identity Manager and Azure AD.

  • REST (Representational State Transfer): An HTTP-based protocol for exchanging messages over the network. It supports POST, PUT, GET, PATCH, DELETE methods to communicate with the application logic.

  • HTTPS (Hypertext Transfer Protocol): An HTTP protocol over SSL (Secure Socket Layer) as a sub-layer under the regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the web server.

    Azure AD processes a request and returns a REST response to the driver shim. The shim receives the response as an array of bytes and converts it to an XML document before passing it back to the driver policies. The input transformation style sheet processes the response and converts it into appropriate XDS that is reported back to the Identity Manager engine.

Identity Manager Engine

The Identity Manager engine uses XDS, a specialized form of XML (Extensible Markup Language), to represent events in the Identity Vault. Identity Manager passes the XDS to the driver policy which can consist of basic policies, DirXML Script, and XSLT (Extensible Stylesheet Language Transformation) style sheets. The Azure AD driver uses REST protocol to handle the HTTP transport of data between the Identity Vault and Azure AD.

The Subscriber channel receives XDS command documents from the Identity Manager engine, converts them to Azure AD API (Application Program Interface) calls, and executes them. The driver shim translates the XDS to XML payload on the Subscriber channel and then invokes the appropriate REST endpoints exposed by Azure AD for Object CRUD (Create, Read, Update, and Delete) operations.

Remote Loader

A Remote Loader enables a driver shim to execute outside of the Identity Manager engine, remotely on a different machine. The Remote Loader passes the information between the shim and the Identity Manager engine.

For the Azure AD driver, you can choose to install the driver shim on the server where the Remote Loader is running.