Office365 to Azure AD Migration Tool Readme

As Microsoft has called out the end of support for Basic Authentication access to Exchange Online API’s for Office365, the Office365 driver will be deprecated. As there will be no further updates to Office365 driver, you must now use the Azure AD driver to connect to the Office365/Azure account. A migration tool is developed for customers to migrate from the existing O365 driver to the Azure AD driver. The tool automates the migration of resources from the Office365 driver to Azure AD driver, but retains the historical data, such as Resource assignments and its history.

This document comprises the following sections:


The migration tool helps a user to:

System Requirements

Handling License Resources and Custom License Resources

Important: Migrating Licence Resources and Custom Licence Resources would trigger a sync and generate traffic.

Migrating License Resources

  1. Make a note of all the license resources that were created using the Office365 driver.
  2. Log in to the Identity Manager Dashboard.
  3. Using the Azure AD driver, create a resource for every service plan. The number of resources must be individually created per service plan.
  4. Create a role that will represent a license and map the resources (to the role) for every service plan that the license contains. Repeat this step if there are multiple licenses in your environment.
  5. Assign the role, with the corresponding entitled licenses, to each user.

Migrating Custom License Resources

  1. Review all the created Custom License Resources with the Office365 Driver, and make a note of all the resource assignments and the service plans that are restricted by each Custom License Resource.
  2. Remove the existing assignments of Licence and Custom License Resources that were created using the Office365 driver.
  3. Create new resources using Azure AD Driver for each License (service plan).
  4. In the Identity Manager Dashboard, create a role and map all the licence resources, excluding the one that is specified in the custom license.
  5. Repeat step 4, for all the custom resources identified in your environment you want to grant permissions or assign to a particular user or users.

For example, if a configured Custom License restricts a user from assigning the service plan EXCEL_PREMIUM and assigns all other plans, then you must first create a Role and then map all the License resources except for the resource for EXCEL_PREMIUM service plan. You can then assign this Role to all the desired users.

Migrating Custom Polices from Office365 to Azure AD Driver

You must migrate the custom policies from Office365 driver to Azure AD driver manually. To migrate, you must first export the custom policies from Office365 driver and then import them to the Azure AD driver.

Exporting Custom Policies from Office365 Driver

  1. Open the project in Designer.
  2. In the Outline view, navigate to Office365 driver and select the custom policies of the Office365 driver to export.
  3. Right-click and select Export to Configuration File.
  4. Select a location to export the policies.
  5. Click Save > OK.

Importing Custom Policies to Azure AD Driver

  1. Open the project in Designer.
  2. In the Outline view, right-click the Azure AD driver and select Import from Configuration File.
  3. Click Browse and navigate to the location where the custom policies of Office365 are exported.
  4. Select the exported policies and click Open > OK.

Test the Python Version on your Machine

Enter the following commands as required to test the python versions installed in your machine:

Verifying the Availability of the Required Modules

  1. Enter the command to verify the required module is present in your machine:

  2. Ensure the modules request, ldap3 and urllib3 entries are present. If the entries are not listed, install the required module with the command: pip install [module name] or pip3 install [module name].

Migrating Office365 Driver to Azure AD Driver

You must perform the following steps to migrate Office365 to Azure AD driver:

NOTE: It is recommended to run the migration tool on a different server to avoid high utilization of CPU memory in Identity Manager server.

  1. Ensure that the Azure AD driver is deployed and running.

  2. Shutdown and disable the Office365 driver.
  3. NOTE: Disabling this driver ensures that none of the events are stored in the driver cache.

  4. Perform one of the following procedures to flush the Identity Manager Dashboard cache.

    1. Log in to the Identity Manager Dashboard.
    2. Navigate to the Configuration page.
    3. Click Cache and Cluster.
    4. Select All Cache, if not defaulted already.
    5. Click Flush Cache.
    6. or

    1. Stop the Tomcat service.
    2. Delete the permindex directory from the Tomcat temp directory.
    3. Start the Tomcat service.

    NOTE: Migration tool sends queries to the Identity Manager Dashboard cache to fetch roles, resources, and their assignments. Hence, it is recommended to flush the cache of the Identity Manager Dashboard prior to running the migration tool. This ensures that all the recent changes in IDMDash are fetched.

  5. (Conditional) On Linux, run the following commands:
    1. NCPCLIENT_REQ_TIMEOUT= <timeout in seconds>
    2. For example, NCPCLIENT_REQ_TIMEOUT= 9000


    NOTE: This setting is valid until the session is closed. By default, the NCP connection has a timeout of 115 seconds. If the total time of the query plus returning results exceeds that value, dxcmd exits with error 143. By setting the NCPCLIENT_REQ_TIMEOUT to a larger value (for example, 1200 seconds), increases the amount of time that the operation is allowed to execute. Since the value is in seconds, a setting of 1200 seconds would allow the operation to execute up to 20 minutes.

  6. (Conditional) On Windows, perform the following steps to add the NCPCLIENT_REQ_TIMEOUT as an environment variable:
    1. On the Windows taskbar, right-click the Windows icon and then select System.
    2. Click Advanced system settings under Related settings.
    3. On the Advanced tab, click Environment Variables.
    4. Click New and add the environment variable.
    5. Click OK and then click OK.

  7. Create a custom directory to extract the contents of migration tool.

  8. Unzip the <> file.

  9. Run the python36 script.
  10. python36 -host <IP address or hostname of the Identity Vault server> -user <Identity Vault Administrator name> -password <Identity Vault Administrator password> -ncp 524 -ssl <specify whether you want to connect through SSL> -ldaps 636 -uauser <Identity Applications Administrator Name> -uapass <Identity Applications Administrator Password> -container <User Search Container DN> -log <log level> -url <Identity Applications URL> -o365 <Office365 Driver DN> -azure <Azure AD Driver DN>

    For example:

    python36 -host -user cn=admin,ou=sa,o=system -password novell -ncp 524 -ssl Yes -ldaps 636 -uauser uaadmin -uapass novell -container o=data -log DEBUG -url -o365 "cn=MSOffice365,cn=driverset1,o=system" -azure cn="AzureDriver,cn=driverset1,o=system"

    NOTE: For help on using the migration script, run the python36 -h command.

    Alternatively, you can run the python36 script and then specify the following details when prompted:

    Input Prompt Sample Values
    Enter IP Address of the IDM Server (IDVault)

    <IP address or hostname of the Identity Vault server>

    For example,

    Enter the IDM Server admin

    <Identity Vault Administrator name>

    For example, cn=admin,ou=sa,o=system

    Enter Password for the IDM Server admin

    <Identity Vault Administrator password>

    For example, novell

    Enter the IDM Server NCP port Enter the NCP port to run dxcmd commands. The default port is 524.

    NOTE: The default port is used, if a custom port is not specified. The port must be specified manually.

    Enter the base container of the users

    Enter the container where the user objects exist.

    For example, o=data

    SSL enabled? Yes or No Enter Yes if "Require TLS for Simple Bind is Yes".
    Enter the IDM Server LDAP port Enter the LDAP port. You must specify these values manually. The default values are appended, if no values are specified. The default values are:
    • For SSL enabled LDAP port: 636
    • For non SSL LDAP port: 389
    Enter Office365 driver DN

    <Office365 Driver DN>

    For example, cn=MSOffice365,cn=driverset1,o=system

    Enter Azure driver DN

    <Azure AD Driver DN>

    For example, cn=AzureDriver,cn=driverset1,o=system

    Enter name of userapp admin

    <Identity Applications Administrator Name>

    For example, uaadmin

    Enter Password for userapp admin

    <Identity Applications Administrator Password>

    For example, novell

    Enter IDM UserApps URL

    <Identity Applications URL>

    For example,

    The migration tool executes once all the values are provided. For more information on the execution steps, see Steps Executed as part of Migration.

    NOTE: You must ensure that the migration tool executes with no errors. The migration will be unsuccessful if errors persist.

Steps Executed as a Part of Migration Process

  1. During the execution process, all the entitlements are queried based on the driver DN provided.
  2. Post querying, a mapping file is created which contains the list of driver and entitlement DN to be converted from Office365 to Azure.
  3. The mapping file also contains the entitlement mapping values of Office365 to Azure AD. Based on the mapping file values, the tool updates the following attributes: