We are using Entra SaaS connector and provisioning works fine.
We have a requirement to assign exchange online mailbox to users when they get provisioned to Entra.
We also need to do following when a user get’s terminated -
Archive/ backup identity’s mailbox
Assign the mailbox to the identity’s manager
Wipeout mobile devices
I understand that these can be achieved through powershell module, but since there is no IQ service configured for Entra SaaS, I am not really sure where and how do we install the powershell module and excute them from.
Microsoft Graph APIs do not support above functionalities (AFAIK and whatever I could get from Microsoft’s website). So we cannot even perform these through APIs.
Anyone implemented this before or can provide direction / guidance on how to configure this.
In order to use the PowerShell modules for Exchange Online (for archiving the mailbox and assigning the mailbox to the manager), you will need to use the standard connector which can use after modify scripts from the IQ Service host.
The functionality to remove mobile devices should be available in the GraphAPI.
If you have AD accounts associated with the Entra users, you can cheat IDN by assigning some dummy AD group (either through a Role criteria or a workflow) that can trigger the afterModify script to execute the required PowerShell operations through the AD IQService.
Thanks for the response, Alicia! So, you suggest using Entra ID connector instead of Entra SaaS connector? That means there is no way to execute PS scripts using SaaS connectors?
I am still not sure on this because the Entra Saas connector documents says this (but does not talk about how and where to execute these scripts from. I guess, not sure though, the connector may be using PS scripts internally to manage this).
And IQ service cannot be integrated with Entra SaaS connector-
We too thought of doing something like that initially, but we may not have all the users provisioned to AD going forward. Only users who need access to applications accessible through AD groups will be provisioned to AD, and not all users by default will be provisioned to AD. So Entra and AD will never have same number of users, and this approach may not serve our requirement.
I looked at this same documentation and agree that it says that Exchange Online PowerShell is used. As you noted, this is required by as the functions you need are not exposed by the GraphAPI. SaaS connectors do not support the use of the IQ Service.
The SaaS connectivity platform supports customizers instead which are written in TypeScript. While there are some libraries that may allow TypeScript to run PowerShell, many members of the community are finding that the customizers are not triggering from SailPoint delivered connectors only from custom connectors. If you want more information on customizers, you can find it here.
Thanks Alicia! I will take a look at Customizers thing and see if it works for Entra SaaS. Though we would have preferred something OOTB and configurable with the connector itself. SailPoint isn’t making our lives easier by releasing half cooked solutions
I’ll also check VA version of Entra connector and see if it would be feasible in our case.
We have also created a SailPoint support ticket for this. Will update here once we get what they have to say on this.
No, there was no clear and correct guidance/update from SP support and as usual were painfully slow in responding, despite increasing severity of the tickets and escalations. So, we decided to switch to VA version of Entra connector to meet the requirements and implementation timelines.
How about SaaS connector ?
I am trying with Entra ID SaaS connector, feature management Exo certificate is giving me a Timeout error. There is no IQservice is play when it is Entra SaaS to ISC SaaS
I’m in the process of migrating to the Microsoft Entra SaaS connector in prod, nearly done. The SaaS connector is much faster but can still take an hour or so on a full aggregation, previously took anywhere from 3-6 hours for a full account aggregation with optimization enabled.
Did you try provisioning of DLs (adding identity to it) using entra saas connector?
Also, curious to know how you connected to exchange online using entra saas connector? I know the entra connector by default pulls in DLs but not sure if provisioning works.
I get the following error when trying to provision a DL using azure ad connector.
[“Update operation failed for null, Error: Update operation failed. Native identity is empty or null”,“Update operation failed for null, Error: Update operation failed. Native identity is empty or null”]
Where the certificate itself will be stored, if no IQservice is being used ?
Following Microsoft Entra SaaS connector’s article:
Select Certificate Based Authentication from the drop dropdown list.
In Exchange Certificate, provide the unique alpha-numeric value of the certificate used to sign the JWT assertion. The same certificate must also be uploaded to the respective Microsoft Entra application.
Enter the Exchange Private Key Password that is used for decrypting the private key.
