Azure Active Directory Driver 5.1.6 Readme
The Azure Active Directory Driver also referred to as Azure AD Driver in this document, allows you to seamlessly provision and deprovision users, group memberships, exchange mailboxes, roles, Teams, Channels, SKU and licenses to Azure AD Cloud. You can also configure the driver to integrate with Identity Manager Service for Exchange Online (Identity Manager Exchange Service) for synchronizing Office 365 attributes.
This Readme comprises the following sections:
Overview
This update is applicable for an Identity Manager Driver for Office 365 and Azure Active Directory running Identity Manager 4.8.x. The driver version will be changed to 5.1.6 after the patch is applied.
What's New?
- The driver now uses Microsoft Graph cmdlets.
- Added 'Certificate Based Authentication' as another type of Authentication for Identity Manager Exchange Service, refer to: Certificate Based Authentication
- Certificate Based Authentication for Azure now uses keystore.
- Supports Teams & Channels Entitlement.
- Supports SharePoint Online Teams, refer to:Support for SharePoint Online sites
- Supports EXO version3
Note: This information has been added after the Azure Active Directory Driver 5.1.6 release.
Note:
- Microsoft has announced the retirement of Azure AD and Msol PowerShell modules. MS has recommended using Microsoft graph based PowerShell cmdlets instead.For more information refer to: Upgrade from Azure AD PowerShell to Microsoft Graph PowerShell
- It is highly recommended to perform the Driver Upgrade by taking downtime so that there no changes in Azure are lost while the driver is getting upgraded. Otherwise, after the upgrade, it will be necessary to migrate the Users and Groups into Identity Vault to ensure that no changes in Azure were lost.
System Requirements
- Identity Manager 4.8.4 or later
- Identity Manager Designer 4.8.4 or later
- REST Driver 1.1.2.0400 or later
Upgrading the Driver
The driver upgrade process involves the following tasks:
To upgrade the driver packages, refer to: Upgrading the Driver Packages
To upgrade the driver files, refer to: Upgrading the Driver Files
To set the delegated and application permissions, refer to:Azure AD Directory Configuration Changes - refer to Step3 in the implementation Guide
To set up SSL between the driver and Azure AD graph REST endpoints, refer to: Secured Communication with Microsoft Graph
To set up SSL between the driver and Identity Manager Exchange Service, refer to: Securing Communication with Identity Manager Exchange Service
To clear the DirXML-DriverStorage Attribute mandatory only if you are upgrading from 5.1.4 or earlier to 5.1.6, refer to : Post Upgrade Tasks
Upgrading the Driver Packages
- Download and unzip the contents of the IDM_AzureAD_5.1.6.zip file to a temporary location on your computer.
- Open the project containing the driver.
- Import the following packages into Designer from the Packages folder :
Name |
Package Name | Version | Build Date | Build Number |
Azure AD Base |
MFAZUREBASE |
1.0.5 |
20220916 |
164823 |
Azure AD Cloud Only Entitlements |
MFAZUREENTL |
1.0.4 |
20220913 |
175019 |
Azure AD Hybrid Entitlements |
MFAZURELENTL |
1.0.4 |
20220928 |
104050 |
Azure AD Password Sync |
MFAZUREPSWD |
1.0.2 |
20220913 |
164719 |
Note: For importing the packages into Designer, refer to Importing packages into Designer.
- Right-click the driver for which you want to upgrade an installed package, then click Driver > Properties.
- Click Packages.
NOTE: A check mark indicates a newer version of a package in the Upgrades column.
- Click Select Operation for the package that indicates there is an upgrade available.
- From the drop-down list, click Upgrade.
- Select the version that you want to upgrade to, then click OK.
NOTE: Designer lists all versions available for upgrade.
- Click Apply.
- (Conditional) Fill in the fields with appropriate information to upgrade the package, then click Next.
Depending on which package you selected to upgrade, you must fill in the required information to upgrade the package.
- Read the summary of the packages that will be installed, then click Finish.
- Review the upgraded package, then click OK to close the Package Management page.
Note: After you update the Driver Packages you will get Authentication Type options for CBA for Azure Graph and CBA for Identity Manager Exchange Service. For more information refer to: Authentication Types
Upgrading the Driver Files
- Take a back-up of the current driver configuration.
- (Conditional) If the driver is running locally, stop the driver instance and the Identity Vault.
- (Conditional) If the driver is running with a Remote Loader instance, stop the driver and the Remote Loader instance.
- Download and unzip the contents of the IDM_AzureAD_5.1.6.zip file to a temporary location on your computer.
- (Conditional) To upgrade the driver files:
- As a root user, perform the following steps:
- On the server where you want apply the driver patch, log in as root.
- Navigate to the extracted <IDM_AzureAD_5.1.6.zip> directory and perform one of the following actions for your platform:
- Windows:
- Navigate to the <extracted IDM_AzureAD_5.1.6.zip>/Windows folder.
Copy and replace the AZDriverShim.jar, RestLib.jar, and OData.jar. files in the C:\NetIQ\IDM\NDS\lib folder.
- Copy the following jar files from IDM_AzureAD_5.1_SP6/common/ folder and place it in the driver installation folder. For example, \NetIQ\IdentityManager\NDS (local installation) or \Novell\RemoteLoader\64bit (remote installation).
- asm-1.0.2.jar
- content-type-2.2.jar
- nimbus-jose-jwt-9.23.jar
- oauth2-oidc-sdk-9.39.jar
- msal4j-1.12.0.jar
- slf4j-log4j12-1.7.33.jar
- common-2.49.jar
- json-smart-2.4.8.jar
- Upgrade the Windows Exchange Service:
- Stop the IDMExchangeOnline service from Windows services console (services.msc).
- Navigate to Windows Exchange Service in the extracted <IDM_AzureAD_5.1_SP6.zip> folder and copy the Microsoft.Identity.Client.dll, ExchServerHost.exe and IDMExchServer.dll files to the Windows Exchange Service installation folder in your file system. For example, C:\NetIQ\ExchangeServerHost.
- Create new Certificate for Identity Manager Exchange Service. Refer to Securing Communication with Identity Manager Exchange Service
- Run configureExchService.bat with appropriate parameters as mentioned below.
- if you wish to continue using Basic Authentication , use the command - configureExchService.bat 9001 exchcba 0 as an examlpe.
- if you wish to use Certificate Based Authentication (which is recommended), use the command - configureExchService.bat 9001 exchcba 5 as an example.
- Start the IDMExchangeOnline service from Windows services console(services.msc).
Important: To support new APIs, you must mandatorily install the Microsoft Exchange Online PowerShell V2 module (EXO V2). For the prerequisites and installation procedure, see
About the Exchange Online PowerShell V2 module.
To support Microsoft Graph CMDLETS you need to install Microsoft Graph PowerShell SDK. Refer to Powershell CMDLET 5.1.6 Configurations
- As a non-root user, perform the following steps:
- Verify that /rpm directory exists and contains _db.* file.
The _db.* file is created during a non-root installation of the Identity Manager engine. The absence of this file might indicate that the Identity Manager is not installed properly. You must reinstall the Identity Manager to correctly place the file in the directory.
- To set the root directory to the location of non-root Identity Vault, enter the following command in the command prompt:
ROOTDIR=<non-root eDirectory location>
This will set the environmental variables to the directory where Identity Vault is installed as a non-root user.
- To install the driver files, enter the following command:
For example, to install the REST driver RPM, use this command:
rpm --dbpath $ROOTDIR/rpm -Uvh --relocate=/usr=$ROOTDIR/opt/novell/eDirectory --relocate=/etc=$ROOTDIR/etc --relocate=/opt/novell/eDirectory=$ROOTDIR/opt/novell/eDirectory --relocate=/opt/novell/dirxml=$ROOTDIR/opt/novell/dirxml --relocate=/var=$ROOTDIR/var --badreloc --nodeps --replacefiles /home/user/netiq-DXMLRESTAzure.rpm
where /opt/novell/eDirectory is the location where non-root eDirectory is installed and /home/user/ is the home directory of the non-root user.
- (Conditional) If the driver is running locally, start the Identity Vault and the driver instance.
- (Conditional) If the driver is running with a Remote Loader instance, start the Remote Loader instance and the driver instance.
Technical Support Information
Issues Fixed in this Release (5.1.6)
- Defect 494386 - Azure Driver 5.1.5 ignores GCV (Global Configured Values) ForceChangePassword
- Defect 566091 - Azure AD driver 5.1.5.0 fails to poll for group changes due to invalid publisher state (error 400 Bad Request - Badly formed token)
- Defect 566144 - Azure AD Driver 5.1.5.0 should support a keystore to store the private key
- Defect 566039 - Activate Azure Directory Roles (activate-roles) set to Yes causes rest error 200 on startup
- Defect 450029 - Matching query fails on value with an apostrophe
- Defect 500072 - Azure AD driver 5.1.5: Error 400 Set-User : Phone and Mobile Phone for users with Recipient Type Details "UserMailbox" cannot be updated
- Defect 566013 - The Azure AD Driver when setting owners on distribution groups performs multiple commands from the Exchange Online Service to M365 for the relative number of owners being added to the group
Issues Fixed in Previous Release(5.1.5.0100)
- Defect 572006 - Azure AD driver not starting - java.lang.illegalArgumentException: Could not parse the as Edmx document