Identitynow and M365 Licensing for Email

I have a question regarding the automation of Microsoft 365 (M365) licenses using SailPoint IdentityNow. Specifically, I’m encountering an issue with the order of assigning Active Directory (AD) groups for licensing.

Does anyone here have experience with using SailPoint IdentityNow to automate M365 licenses for email and Microsoft cloud services? I’m facing a challenge where I’m unsure whether the mailbox needs to be created in the cloud first before assigning the M365 AD group.

Any insights, best practices, or experiences shared would be greatly appreciated!

Thank you in advance for your assistance

I have not created mailbox just by using AD connector so far, I would like to look into that as well.

But below is the approach I have used in a bit many clients,

  1. Create an AD Group in On-Prem AD or directly in Azure AD.
  2. Make sure that this Group will be in scope with Azure AD Sync job, so that Group will sync between on-prem AD and Azure AD.
  3. Add E3/E5 or any other license your organization is using to the same Group.
  4. In SailPoint IdentityNow, provision this Group to the users based on your requirements.
  5. Use native Rules in AD source, ConnectorAfterCreate or ConnectorAfterModify
  6. Develop PowerShell script which will be triggered from native Rules, Use Enable-RemoteMailBox in PowerShell to enable user mailbox


1 Like

Thanks Krishna. This worked.

1 Like