Creating Distribution list for office 365 in sailpoint using Azure Ad connector

Which IIQ version are you inquiring about?

Version 8.3p2

Please share any images or screenshots, if relevant.

Share all details about your problem, including any error messages you may have received.

Hello Everyone,
Can anyone kindly assist me in creating a distribution list for Office 365 using Azure AD Connector? I have gone through the Azure AD Connector Document in SailPoint. It says that we have to use Exchange Online Management to create a DL, but it doesn’t provide clear information about the creation. So, can anyone help me with this?
Thanks & Regards,
Dharshini

Hi @DharshiniB,

Distribution Lists are managed like a group object in SP, so you can create a manage attribute and promote it.

1 Like

@DharshiniB Can you try by UI as Kamil provided steps here ? Got to Entitlements Catalogue → Click new entitlement …

Creating Distribution Lists in SailPoint using Azure AD Connector - IdentityIQ (IIQ) / IIQ Discussion and Questions - SailPoint Developer Community

If it works, then you can print the plan and see how the plan generated.

@pravin_ranjan I have tried the provisioning plan that you provided in the post, I can able to see distribution list getting created in azure successfully, but we need to add members into the DL, in the same plan i tried adding the members i can see that its getting committed in SailPoint provisioning transaction but members were not added. How can we add members into the DL??.

@DharshiniB For members you need to create separate plan of AccountRequest to add members. in this case, you can user groups instead of memberOf.

import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningProject;
import sailpoint.object.ProvisioningPlan.ObjectRequest;
import sailpoint.object.ProvisioningPlan.Operation;
import sailpoint.object.ProvisioningPlan.ObjectOperation;
import sailpoint.api.Provisioner;
import sailpoint.tools.GeneralException;
import sailpoint.tools.Util;
import java.util.ArrayList;

// Step 1: Create a new Provisioning Plan
ProvisioningPlan plan = new ProvisioningPlan();
plan.setTargetIntegration(“Azure App”);

// Step 2: Define the group name and list of members to be added
String groupName = “ObjID”; // Replace with your actual group name
List memberList = new ArrayList();
memberList.add(“UPN”);
memberList.add(“UPN”);

// Step 3: Create ObjectRequest for the group

ProvisioningPlan.ObjectRequest oR = new ProvisioningPlan.ObjectRequest();
oR.setApplication(“Azure App”);
oR.setNativeIdentity(“GroupName”);
oR.setOp(ProvisioningPlan.ObjectOperation.Modify);
oR.setType(“group”);

// Step 4: Add each member to the group
for (String member : memberList) {
oR.add(new ProvisioningPlan.AttributeRequest(“groups”, ProvisioningPlan.Operation.Add, member));
}

// Step 5: Add ObjectRequest to the Provisioning Plan
plan.add(oR);

// Step 6: Execute the Provisioning Plan
try {
Provisioner provisioner = new Provisioner(context);
provisioner.setSource(“TargetAggregation”);
provisioner.execute(plan);
System.out.println(“Members added to the group successfully.”);
} catch (GeneralException e) {
System.err.println("Error executing provisioning plan: " + e.getMessage());
}

This is the separate plan that i have created to add members into the group, but its not working. Can anyone suggest what’s wrong in this?

Hi @DharshiniB,

in step 4, can you try to put the list directly?
Now you are adding the same attribute with different values, try to provisioning a list of values for that attribute, like this:

oR.add(new ProvisioningPlan.AttributeRequest(“groups”, ProvisioningPlan.Operation.Add, memberList));

without for

Hi @enistri_devo Thanks for the reply, I tried but i couldn’t able to see members added in the group

do you have some errors? can you try to active logs for azure connector?

@enistri_devo I was trying to use this plan to add members into O365 Group in my local environment. I Hope the process will be same for adding members into Distribution list except some attribute name change. Ultimate requirement is to create DL since we didn’t have non prod environment to try it out we have to directly try it in production environment. So Before directly trying this in prod Im trying it in my local environment using my person free trial tenant.

@enistri_devo In prod we done testing for Creating DL with the plan @pravin_ranjan suggested. Now tried to add owners and members into the Group but I can able to add Owner but Adding Members is not working

@DharshiniB For members you need to use groups attribute. Can you post here code and plan xml ?

it should be like below code

aR.add(new ProvisioningPlan.AttributeRequest("groups", ProvisioningPlan.Operation.Add, ma.getValue()));

I sent code in chat.

Hi @pravin_ranjan ,
This is the plan that I’m using to create DL and Add owner in same rule.

import sailpoint.object.ProvisioningPlan; import sailpoint.object.ProvisioningProject; import sailpoint.object.ProvisioningPlan.ObjectRequest; import sailpoint.object.ProvisioningPlan.Operation; import sailpoint.object.ProvisioningPlan.ObjectOperation; import sailpoint.api.Provisioner; import sailpoint.tools.GeneralException; import sailpoint.tools.Util; import java.util.ArrayList;

// Step 1: Create the Distribution List (DL)
ProvisioningPlan plan = new ProvisioningPlan();
plan.setTargetIntegration(“Azure AppName”);

ProvisioningPlan.ObjectRequest oR = new ProvisioningPlan.ObjectRequest();
oR.setApplication(“Azure AppName”);
//oR.setNativeIdentity(“GroupName”);
oR.setOp(ProvisioningPlan.ObjectOperation.Create);
oR.setType(“group”);

oR.add(new ProvisioningPlan.AttributeRequest(“displayName”, ProvisioningPlan.Operation.Set, “"));
oR.add(new ProvisioningPlan.AttributeRequest(“mailNickname”, ProvisioningPlan.Operation.Set, "
”));
oR.add(new ProvisioningPlan.AttributeRequest(“description”, ProvisioningPlan.Operation.Set, “***”));
oR.add(new ProvisioningPlan.AttributeRequest(“groupTypes”, ProvisioningPlan.Operation.Set, “DistributionList”)); // Update to valid type

List ownerList = new ArrayList();
ownerList.add(“UPN of Owner”);
oR.add(new ProvisioningPlan.AttributeRequest(“owners”, ProvisioningPlan.Operation.Add, ownerList));

plan.add(oR);

Provisioner pro = new Provisioner(context);
pro.setSource(“TargetAggregation”);
pro.setNoCreateTemplates(false);

HashMap args = new HashMap();
args.put(“optimisticProvisioning”, Boolean.TRUE);

try {
pro.execute(plan);
log.info(“Provisioning plan executed successfully.”);
} catch (GeneralException e) {
log.error("Error executing provisioning plan: " + e.getMessage(), e);
}

This is separate plan I’m using to add members in different rule, As u said I changed the groups attribute and ma.getValue(), but the variable “ma” i didn’t used it anywhere instead of “ma” what should i need to update?.

import sailpoint.object.ProvisioningPlan; import sailpoint.object.ProvisioningProject; import sailpoint.object.ProvisioningPlan.AccountRequest; import sailpoint.object.ProvisioningPlan.Operation; import sailpoint.api.Provisioner; import sailpoint.tools.GeneralException; import sailpoint.tools.Util; import java.util.ArrayList;

ProvisioningPlan plan = new ProvisioningPlan();
plan.setTargetIntegration(“Azure AppName”);

// Step 2: Create a Separate AccountRequest Plan to Add Members
ProvisioningPlan memberPlan = new ProvisioningPlan();
memberPlan.setTargetIntegration(“Azure AppName”);

List members = Arrays.asList(“ObjID”, “ObjID”);
for (String member : members) {
ProvisioningPlan.AccountRequest aR = new ProvisioningPlan.AccountRequest();
aR.setApplication(“Azure AppName”);
aR.setOp(ProvisioningPlan.ObjectOperation.Modify);

aR.add(new ProvisioningPlan.AttributeRequest(“groups”, ProvisioningPlan.Operation.Add, ma.getValue()));
memberPlan.add(aR);
}
Provisioner pro = new Provisioner(context);
pro.setSource(“TargetAggregation”);
pro.setNoCreateTemplates(false);
HashMap args = new HashMap();
args.put(“optimisticProvisioning”, Boolean.TRUE);

try {
pro.execute(memberPlan);
log.info(“Members added to the DL successfully.”);
} catch (GeneralException e) {
log.error("Error adding members to the DL: " + e.getMessage(), e);
}

I have seen the groups attribute present in account schema, do i need to add groups in group object type schema for this in azure connector configuration ? . if anything is wrong, kindly please suggest me . Thank you

@DharshiniB try first with hardcode.

List members = Arrays.asList(“ObjID1”, “ObjID2”); // Put here objectId from managedAttribute
for (String member : members) {
ProvisioningPlan.AccountRequest aR = new ProvisioningPlan.AccountRequest();
aR.setApplication(“Azure AppName”);
aR.setOp(ProvisioningPlan.ObjectOperation.Modify);

aR.add(new ProvisioningPlan.AttributeRequest(“groups”, ProvisioningPlan.Operation.Add, member));
memberPlan.add(aR);
}

Let me know if that works ?

Hi ,

Error occurred at IQService executing update for group Exception occurred while executing the RPCRequest: Errors returned from IQService. The role assigned to application “client id” isn’t supported in this scenario. Please check online documentation for assigning correct Directory Roles to Azure AD Application for EXO App-Only Authentication.

I’m getting this error when try to add owners , we assigned Group Administrator Permission in Azure Application. Do we need to any other permission other than this?

Hi Everyone,

I tried creating Distribution list and adding owner to it, i can able to see owners added in SailPoint on entitlement catalog. but it didn’t got reflected in azure. members also not adding, we enabled azure trace logs, and found some traces like this.

TRACE http-nio-8080-exec-4 sailpoint.connector.AzureADConnector:97 - Entering lambda$provision$155: Arguments => GroupName
TRACE http-nio-8080-exec-4 sailpoint.connector.AzureADConnector:108 - Exiting lambda$provision$155: Arguments => GroupName, Returns => Handling provisioning request for id:GroupName
eADConnector:97 - Entering setOperation: Arguments => create
TRACE http-nio-8080-exec-4 sailpoint.connector.AzureADConnector:108 - Exiting setOperation: Arguments => create, Returns => N/A

Hi Everyone,

I’m trying this code in my local to add members into the group that is created, but its not working. This is 1st time I’m trying this and I’m struck at this point, there might be any issue in the code or the way we approach to add members, if anyone know the right approach please help me out. This is urgent requirement from project, so kindly help me on this. Thank you.

import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.api.Provisioner;
import sailpoint.tools.GeneralException;
import java.util.ArrayList;
import java.util.List;
import sailpoint.object.Identity;

log.error(“Start of Add Members Rule*****”);
// Step 1: Create a new Provisioning Plan
ProvisioningPlan plan = new ProvisioningPlan();
plan.setTargetIntegration(“Azure AD”);
log.error(“*************”);

// Step 2: Define the group name and list of members to be added
String groupName = “Distribution Team”;
List memberList = new ArrayList();
memberList.add(“UPN of the user”);
log.error(“*************”);

// Step 3: Create an AccountRequest for the group
ProvisioningPlan.AccountRequest aR = new ProvisioningPlan.AccountRequest();
aR.setApplication(“Azure AD”);
aR.setOp(ProvisioningPlan.ObjectOperation.Modify);
aR.setNativeIdentity(groupName);
aR.setType(“group”);

// Step 4: Add each member to the group
aR.add(new ProvisioningPlan.AttributeRequest(“members”, ProvisioningPlan.Operation.Add, memberList));
log.error("Printing list of members: " + memberList);

// Step 5: Add AccountRequest to the Provisioning Plan
plan.add(aR);

// Step 6: Execute the Provisioning Plan
try {
Provisioner provisioner = new Provisioner(context);
provisioner.setSource(“TargetAggregation”);
provisioner.execute(plan);
log.error(“Members added to the group successfully.”);
} catch (GeneralException e) {
log.error("Error executing provisioning plan: " + e.getMessage());
}
log.error(“End of Add Members Rule*****”);