We are using Entra SaaS connector and provisioning works fine.
We have a requirement to assign exchange online mailbox to users when they get provisioned to Entra.
We also need to do following when a user get’s terminated -
Archive/ backup identity’s mailbox
Assign the mailbox to the identity’s manager
Wipeout mobile devices
I understand that these can be achieved through powershell module, but since there is no IQ service configured for Entra SaaS, I am not really sure where and how do we install the powershell module and excute them from.
Microsoft Graph APIs do not support above functionalities (AFAIK and whatever I could get from Microsoft’s website). So we cannot even perform these through APIs.
Anyone implemented this before or can provide direction / guidance on how to configure this.
In order to use the PowerShell modules for Exchange Online (for archiving the mailbox and assigning the mailbox to the manager), you will need to use the standard connector which can use after modify scripts from the IQ Service host.
The functionality to remove mobile devices should be available in the GraphAPI.
If you have AD accounts associated with the Entra users, you can cheat IDN by assigning some dummy AD group (either through a Role criteria or a workflow) that can trigger the afterModify script to execute the required PowerShell operations through the AD IQService.
Thanks for the response, Alicia! So, you suggest using Entra ID connector instead of Entra SaaS connector? That means there is no way to execute PS scripts using SaaS connectors?
I am still not sure on this because the Entra Saas connector documents says this (but does not talk about how and where to execute these scripts from. I guess, not sure though, the connector may be using PS scripts internally to manage this).
And IQ service cannot be integrated with Entra SaaS connector-
We too thought of doing something like that initially, but we may not have all the users provisioned to AD going forward. Only users who need access to applications accessible through AD groups will be provisioned to AD, and not all users by default will be provisioned to AD. So Entra and AD will never have same number of users, and this approach may not serve our requirement.
I looked at this same documentation and agree that it says that Exchange Online PowerShell is used. As you noted, this is required by as the functions you need are not exposed by the GraphAPI. SaaS connectors do not support the use of the IQ Service.
The SaaS connectivity platform supports customizers instead which are written in TypeScript. While there are some libraries that may allow TypeScript to run PowerShell, many members of the community are finding that the customizers are not triggering from SailPoint delivered connectors only from custom connectors. If you want more information on customizers, you can find it here.
Thanks Alicia! I will take a look at Customizers thing and see if it works for Entra SaaS. Though we would have preferred something OOTB and configurable with the connector itself. SailPoint isn’t making our lives easier by releasing half cooked solutions
I’ll also check VA version of Entra connector and see if it would be feasible in our case.
We have also created a SailPoint support ticket for this. Will update here once we get what they have to say on this.
