Azure Active Directory Driver 5.1.70100 Readme

The Azure Active Directory Driver also referred to as Azure AD Driver in this document, allows you to seamlessly provision and deprovision users, group memberships, exchange mailboxes, roles, Teams, Channels, SKU and licenses to Azure AD Cloud. You can also configure the driver to integrate with Identity Manager Service for Exchange Online (Identity Manager Exchange Service) for synchronizing Office 365 attributes.

This Readme comprises the following sections:

• Overview
• System Requirements
• Upgrading the Driver
• Technical Support Information

Overview

This update is applicable for an Identity Manager Driver for Office 365 and Azure Active Directory running Identity Manager 4.8.x. The driver version will be changed to 5.1.70100 after the patch is applied.

• Microsoft has announced the retirement of Azure AD and Msol PowerShell modules. MS has recommended using Microsoft graph based PowerShell cmdlets instead.For more information refer to: Upgrade from Azure AD PowerShell to Microsoft Graph PowerShell
• It is highly recommended to perform the Driver Upgrade by taking downtime so that there no changes in Azure are lost while the driver is getting upgraded. Otherwise, after the upgrade, it will be necessary to migrate the Users and Groups into Identity Vault to ensure that no changes in Azure were lost.
• From October 1st 2023 the Exchange services of Azure AD driver 5.1.7 may not work as expected because RPS will be disabled by Microsoft, for reference Deprecation of Remote PowerShell in Exchange Online. Hence this update is mandatory to ensure the driver continues to work normal.

System Requirements

• Identity Manager 4.8.4 or later
• Identity Manager Designer 4.8.4 or later
• REST Driver 1.1.2.0400 or later
• Microsoft.Graph Module version 2.4
• ExchangeOnlineManagement Module 3.2

Prerequisites

Run the following commands before upgrading the driver to install the requirments:

• Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.2.0
• Install-Module -Name Microsoft.Graph -RequiredVersion 2.4.0

Upgrading the Driver

The driver upgrade process involves the following tasks:

Upgrading the Driver Files

1. Take a back-up of the current driver configuration.


2. (Conditional) If the driver is running locally, stop the driver instance and the Identity Vault.


3. (Conditional) If the driver is running with a Remote Loader instance, stop the driver and the Remote Loader instance.


4. Download and unzip the contents of the IDM_AzureAD_5.1.7_P1.zip file to a temporary location on your computer.


5. (Conditional) To upgrade the driver files:


• As a root user, perform the following steps:


1. On the server where you want apply the driver patch, log in as root.


2. Navigate to the extracted <IDM_AzureAD_5.1.7_P1.zip> directory and perform one of the following actions for your platform:


• Linux:


• Navigate to the <IDM_AzureAD_5.1.7_P1.zip>;/Linux directory
• Install the netiq-DXMLRESTAzure.rpm by running the following commands in a terminal window:

rpm -Uvh (patch-path)/linux/netiq-DXMLRESTAzure.rpm



• Windows:


• Navigate to the <extracted IDM_AzureAD_5.1.7_P1.zip>/Windows folder. Copy and replace the AZDriverShim.jar, RestLib.jar, and OData.jar. files in the C:\NetIQ\IDM\NDS\lib folder.


• Upgrade the Windows Exchange Service:


• Stop the IDMExchangeOnline service from Windows services console (services.msc).


• Navigate to Windows Exchange Service in the extracted <IDM_AzureAD_5.1.7_P1.zip> folder and copy the Microsoft.Identity.Client.dll, ExchServerHost.exe and IDMExchServer.dll files to the Windows Exchange Service installation folder in your file system. For example, C:\NetIQ\ExchangeServerHost.


• Create new Certificate for Identity Manager Exchange Service. Refer to Securing Communication with Identity Manager Exchange Service
• Run configureExchService.bat with appropriate parameters as mentioned below.
• if you wish to continue using Basic Authentication , use the command - configureExchService.bat 9001 exchcba 0 as an examlpe.
• if you wish to use Certificate Based Authentication (which is recommended), use the command - configureExchService.bat 9001 exchcba 5 as an example.
• Start the IDMExchangeOnline service from Windows services console(services.msc).

Important: To support new APIs, you must mandatorily install the Microsoft Exchange Online PowerShell V3 module (EXO V3). For the prerequisites and installation procedure, see About the Exchange Online PowerShell V3 module.

To support Microsoft Graph CMDLETS you need to install Microsoft Graph PowerShell SDK. Refer to Powershell CMDLET 5.1.7 Configurations



6. As a non-root user, perform the following steps:


1. Verify that /rpm directory exists and contains _db.* file.

The _db.* file is created during a non-root installation of the Identity Manager engine. The absence of this file might indicate that the Identity Manager is not installed properly. You must reinstall the Identity Manager to correctly place the file in the directory.

2. To set the root directory to the location of non-root Identity Vault, enter the following command in the command prompt:

ROOTDIR=<non-root eDirectory location>

This will set the environmental variables to the directory where Identity Vault is installed as a non-root user.

3. To install the driver files, enter the following command:

For example, to install the REST driver RPM, use this command:

rpm --dbpath $ROOTDIR/rpm -Uvh --relocate=/usr=$ROOTDIR/opt/novell/eDirectory --relocate=/etc=$ROOTDIR/etc --relocate=/opt/novell/eDirectory=$ROOTDIR/opt/novell/eDirectory --relocate=/opt/novell/dirxml=$ROOTDIR/opt/novell/dirxml --relocate=/var=$ROOTDIR/var --badreloc --nodeps --replacefiles /home/user/netiq-DXMLRESTAzure.rpm

where /opt/novell/eDirectory is the location where non-root eDirectory is installed and /home/user/ is the home directory of the non-root user.

7. (Conditional) If the driver is running locally, start the Identity Vault and the driver instance.


8. (Conditional) If the driver is running with a Remote Loader instance, start the Remote Loader instance and the driver instance.

Known Issue

Memory leak issue in IDMExchange service.

In IDMExchange service we have observed Memory leak issue which is caused due to Microsoft cmdlets. In Microsoft documentation it is mentioned that "Frequent use of the Connect-ExchangeOnline and Disconnect-ExchangeOnline cmdlets in a single PowerShell session or script might lead to a memory leak. The best way to avoid this issue is to use the CommandName parameter on the Connect-ExchangeOnline cmdlet to limit the cmdlets that are used in the session.".

Restart IDMExchange Service when you see noticeable increase in memory.

Technical Support Information

Issues Fixed in current Release (5.1.70100)

• Defect 816006 - Upgrading Exchange online to V3 version now enforces user interaction for few cmdlets
• Defect 802003 - Upgrading MSGraph module and Exchange Modules Driver fails to connect to Microsoft Graph "PowerShell execution error: Cannot bind parameter 'AccessToken'. Cannot convert"
• Defect 800002 - Azure Driver BadRequest message - Cannot Update a mail-enabled security groups and or distribution list
• Defect 833033 - NetIQ IdM Azure AD driver's IdM Exchange service does not use ByPassSecurityGroupManagerCheck switch when calling Add-DistributionGroupMember

Issues Fixed in Previous Release (5.1.7)

• Defect 763011 - Add or Modify event on Subscriber/Publisher fails with error "QueryHandler: Filtering out invalid class 'user'
• Defect 445109 - AzureAD driver ignores FATAL status
• Defect 646042 - @src-dn is empty in AzureAD publisher events
• Defect 501051 - Configure AzureAD Driver to connect to Microsoft Graph endpoints for national cloud deployments
• Defect 624004 - Azure driver publisher loops on O365 group modifications repeating modify events several times
• Defect 763002 - Azure AD shim 5.1.6 GET 404 not found - attribute 'print' no longer supported in queries added the print attribute in Unsupported User Attributes by MS Graph APIs in the driver configuration.
• Defect 673001 -Issue with communication to Microsoft 365 API with Azure AD Driver added the signInActivity attribute in Unsupported User Attributes by MS Graph APIs in the driver configuration.