Azure Active Directory Driver 5.1.7.0200 Readme
The Azure Active Directory Driver also referred to as Azure AD Driver in this document, allows you to seamlessly provision and deprovision users, group memberships, exchange mailboxes, roles, Teams, Channels, SKU and licenses to Azure AD Cloud. You can also configure the driver to integrate with Identity Manager Service for Exchange Online (Identity Manager Exchange Service) for synchronizing Office 365 attributes.
This Readme comprises the following sections:
Overview
This update is applicable for Identity Manager Driver for Office 365 and Azure Active Directory running Identity Manager 4.8.x. The driver version will be changed to 5.1.7.0200 after the patch is applied.
Note:
- Microsoft has announced the retirement of Azure AD and Msol PowerShell modules. MS has recommended using Microsoft graph based PowerShell cmdlets instead.For more information refer to: Upgrade from Azure AD PowerShell to Microsoft Graph PowerShell
- It is highly recommended to perform the Driver Upgrade by taking downtime so that there no changes in Azure are lost while the driver is getting upgraded. Otherwise, after the upgrade, it will be necessary to migrate the Users and Groups into Identity Vault to ensure that no changes in Azure were lost.
- From October 1st 2023 the Exchange services of Azure AD driver 5.1.7 may not work as expected because RPS will be disabled by Microsoft, for reference Deprecation of Remote PowerShell in Exchange Online. Hence this update is mandatory to ensure the driver continues to work normal.
What's New?
- An enhancement is made to Azure AD Drivers Base Package to provide an option for supporting the attributes which are not part of metadata. This feature provides flexibility to add desired attributes in the Supported attributes list.
System Requirements
- Identity Manager 4.8.4 or later
- Identity Manager Designer 4.8.4 or later
- REST Driver 1.1.2.0400 or later
- Microsoft.Graph Module version 2.4
- ExchangeOnlineManagement Module 3.3
Prerequisites
Run the following commands before upgrading the driver to install the requirments:
- Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.3.0
- Install-Module -Name Microsoft.Graph -RequiredVersion 2.4.0
Upgrading the Driver
The driver upgrade process involves the following tasks:
To upgrade the driver files, refer to: Upgrading the Driver Files
Import the packages into Designer from the Packages folder : Upgrading the Driver Packages
To set the delegated and application permissions, refer to:Azure AD Directory Configuration Changes - refer to Step3 in the implementation Guide
To set up SSL between the driver and Azure AD graph REST endpoints, refer to: Secured Communication with Microsoft Graph
To set up SSL between the driver and Identity Manager Exchange Service, refer to: Securing Communication with Identity Manager Exchange Service
Upgrading the Driver Packages
Import the following packages into Designer from the Packages folder :
Name |
Package Name | Version | Build Date | Build Number |
AZURE Base |
MFAZUREBASE |
1.0.7 |
20240307 |
093042 |
Upgrading the Driver Files
- Take a back-up of the current driver configuration.
- (Conditional) If the driver is running locally, stop the driver instance and the Identity Vault.
- (Conditional) If the driver is running with a Remote Loader instance, stop the driver and the Remote Loader instance.
- Download and unzip the contents of the IDM_AzureAD_5.1.7_P2.zip file to a temporary location on your computer.
- (Conditional) To upgrade the driver files:
- As a root user, perform the following steps:
- On the server where you want apply the driver patch, log in as root.
- Navigate to the extracted <IDM_AzureAD_5IDM_AzureAD_5.1.7_P2.zip> directory and perform one of the following actions for your platform:
- Windows:
- Navigate to the <extracted IDM_AzureAD_5.1.7_P2.zip>/Windows folder.
Copy and replace the AZDriverShim.jar, RestLib.jar, and OData.jar. files in the C:\NetIQ\IDM\NDS\lib folder.
- Upgrade the Windows Exchange Service:
- Stop the IDMExchangeOnline service from Windows services console (services.msc).
- Navigate to Windows Exchange Service in the extracted <IDM_AzureAD_5.1.7_P2.zip> folder and copy the Microsoft.Identity.Client.dll, ExchServerHost.exe and IDMExchServer.dll files to the Windows Exchange Service installation folder in your file system. For example, C:\NetIQ\ExchangeServerHost.
- Create new Certificate for Identity Manager Exchange Service. Refer to Securing Communication with Identity Manager Exchange Service
- Run configureExchService.bat with appropriate parameters as mentioned below.
- if you wish to continue using Basic Authentication , use the command - configureExchService.bat 9001 exchcba 0 as an examlpe.
- if you wish to use Certificate Based Authentication (which is recommended), use the command - configureExchService.bat 9001 exchcba 5 as an example.
- Start the IDMExchangeOnline service from Windows services console(services.msc).
Important: To support new APIs, you must mandatorily install the Microsoft Exchange Online PowerShell V3 module (EXO V3). For the prerequisites and installation procedure, see
About the Exchange Online PowerShell V3 module.
To support Microsoft Graph CMDLETS you need to install Microsoft Graph PowerShell SDK. Refer to Powershell CMDLET 5.1.7 Configurations
- As a non-root user, perform the following steps:
- Verify that /rpm directory exists and contains _db.* file.
The _db.* file is created during a non-root installation of the Identity Manager engine. The absence of this file might indicate that the Identity Manager is not installed properly. You must reinstall the Identity Manager to correctly place the file in the directory.
- To set the root directory to the location of non-root Identity Vault, enter the following command in the command prompt:
ROOTDIR=<non-root eDirectory location>
This will set the environmental variables to the directory where Identity Vault is installed as a non-root user.
- To install the driver files, enter the following command:
For example, to install the REST driver RPM, use this command:
rpm --dbpath $ROOTDIR/rpm -Uvh --relocate=/usr=$ROOTDIR/opt/novell/eDirectory --relocate=/etc=$ROOTDIR/etc --relocate=/opt/novell/eDirectory=$ROOTDIR/opt/novell/eDirectory --relocate=/opt/novell/dirxml=$ROOTDIR/opt/novell/dirxml --relocate=/var=$ROOTDIR/var --badreloc --nodeps --replacefiles /home/user/netiq-DXMLRESTAzure.rpm
where /opt/novell/eDirectory is the location where non-root eDirectory is installed and /home/user/ is the home directory of the non-root user.
- (Conditional) If the driver is running locally, start the Identity Vault and the driver instance.
- (Conditional) If the driver is running with a Remote Loader instance, start the Remote Loader instance and the driver instance.
Known Issue
Memory leak issue in IDMExchange service.
Issue: In IDMExchange service we have observed Memory leak issue which is caused due to Microsoft cmdlets. In Microsoft documentation it is mentioned that
"Frequent use of the Connect-ExchangeOnline and Disconnect-ExchangeOnline cmdlets in a single PowerShell session or script might lead to a memory leak. The best way to avoid this issue is to use the CommandName parameter on the Connect-ExchangeOnline cmdlet to limit the cmdlets that are used in the session.".
Workaround: Restart IDMExchange Service when you see noticeable increase in memory.
Technical Support Information
Issues Fixed in Current Release
- Defect 647060 - When we configure AzueAD driver 5.1.6 to use certificate based authentication it fails with a "Refresh token and Client Secret must be provided to get the new Access Token" exception.
- Defect 1115008 - The IdM Exchange Service in the IdM driver for Azure AD and Office 365 is unable to fetch user changes if a user has a populated extension attribute.
- Defect 1114001 - The IdM Exchange Service in the IdM driver for Azure AD and Office 365 throws an exception when a group only has a service principal as owner.
- Defect 1096001 - The IdM Exchange Service in the IdM driver for Azure AD and Office 365 uses the current local time to poll for changes in UTC time.
- Defect 1109003 - Azure AD driver's Exchange Service shows error when polling for Exchange Online group changes if Exchange Online custom role group is created.
- Defect 589122 - AzureAD driver - ability to sync attributes that are not reported by MS in the metadata.
- Defect 686007 - When the MS Graph API returns a 429 Too Many Requests error, the status document returned by the IdM driver for Azure AD does not include a level.
- Defect 712005 - After changing merge authority to application, new groups coming from Azure attempt to apply modifys within the Vault prior to the add.
- Defect 782036 - Regarding 'LicenceOptionStatus' Issue on M365 Driver.
Issues Fixed in Previous Release (5.1.7.0100)
- Defect 816006 - Upgrading Exchange online to V3 version now enforces user interaction for few cmdlets
- Defect 802003 - Upgrading MSGraph module and Exchange Modules Driver fails to connect to Microsoft Graph "PowerShell execution error: Cannot bind parameter 'AccessToken'. Cannot convert"
- Defect 800002 - Azure Driver BadRequest message - Cannot Update a mail-enabled security groups and or distribution list
- Defect 833033 - NetIQ IdM Azure AD driver's IdM Exchange service does not use ByPassSecurityGroupManagerCheck switch when calling Add-DistributionGroupMember