1.2 Driver Concepts

1.2.1 Office 365 Driver Shim

The driver shim converts the XML-based Identity Manager command and event language (XDS) to the protocols and API calls needed to interact with Office 365. The shim for Office 365 is DXMLMSOnlineDriver.dll.

The shim is called by the driver to execute the PowerShell commands on the machine hosting the driver shim after the Output Transformation runs. The shim also generates events from Office 365 for the Input Transformation policy.

1.2.2 Data Transfer between Systems

The driver supports two data transfer channels, the Publisher and the Subscriber channels, between the Identity Vault and Office 365.

The Subscriber channel controls data transfer as follows:

  • The channel monitors the Identity Vault for new objects and changes to the existing objects.

  • The channel sends the relevant changes to the driver shim to be executed in Office 365.

The Publisher channel controls data transfer as follows:

  • The channel monitors the connected system for new objects and changes to the existing objects.

  • The channel publishes the relevant changes to the driver shim to be synchronized with the Identity Vault.

With filters and policies, you can configure the driver to control and manage the changes that are detected and sent to Office 365.

1.2.3 How the Driver Works

Figure 1-1 illustrates the data flow between Identity Manager and Office 365:

Figure 1-1 Office 365 Driver Data Flow

The Identity Manager engine uses XDS, a specialized form of XML, to represent events in the Identity Vault. Identity Manager engine passes the XDS to the driver policy, which can consist of basic policies, DirXML Script, and XSLT style sheets.

The driver shim receives XML from the Identity Manager engine. Based on the input XML, the driver uses Microsoft PowerShell infrastructure and Microsoft Online Services cmdlets for transferring data into and out of Office 365.

The cmdlets apply functions to manage users and groups in Office 365. When the driver receives an add, modify, or delete event from the Identity Vault, it executes the PowerShell cmdlets to provision, modify, or deprovision users to Office 365. The Subscriber channel synchronizes users, groups, and licenses.

On a successful Add, Modify, or Delete operation, the driver stores the XDS events into a change cache. Passwords are not stored in the change cache. By default, the change cache is located in the C:\Temp folder on the Remote Loader server.

The driver maintains a database cache to prevent loopback of events on the Publisher channel and to identify changes in Office 365. The Publisher channel periodically polls the Office 365 for additions and modifications for users and groups.

The changes returned by the driver are based on Sync Filter settings configured for the driver. By default, the Publisher channel checks the database cache every five minutes. Database cache can be encrypted by specifying the Database Password in the Driver Properties.

Each user entry returned by the query to Office 365 is compared with the user data in the Publisher database cache. Depending on the query results, the Publisher channel sends one of the following notifications to the Identity Vault:

  • If a user is not present in the database, the Publisher channel sends an Add operation request to the Identity Vault.

  • If you modify one or more attributes of a user, the Publisher channel sends a Modify operation request to the Identity Vault.

  • If the database contains users that are not returned by the query, the Publisher channel sends a Delete operation request to the Identity Vault.

The driver provides a configurable option, Confirm Publisher Deletes, to query Office 365 for revalidating a delete request for a specific object. This option is enabled by default, which means the driver queries Office 365 to ensure that a specific user or a group is deleted from Office 365 before the Publisher channel can send a delete request to the Identity Vault.