IIQ Entra ID Connector, Exchange Online Aggregation Issue

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.5 P1

Share all details about your problem, including any error messages you may have received.

Currently we are trying to integrate with Exchange Online using IQService to fetch SharedMailbox accounts.
Our End goal is to manage and provision access to SharedMailboxes. We also need to map these accounts to Active Directory accounts.
We have added ‘sharedMailbox’ in the scehma of the application. But when running aggregation The Azure Active Directory Connector is using the below command.

Get-EXOMailbox -RecipientTypeDetails “SharedMailbox” -ResultSize unlimited | foreach { Get-EXORecipientPermission -Identity $.Guid | foreach { ‘(“mail” :“{0}” ,“name”: “{1}” , “role”: “{2}”)’ -f $.Identity, $.Trustee, [String]$.AccessRights } | ConvertTo-Json }"

The value this command is fetching does not have the correct values we need to correlate the accounts.

So we are looking for Solutions.

  1. Either a way to override the aggregation query.
  2. A way to map shared mailbox permissions as Entitlements and correlate the account to Identity based on On-prem AD account attributes.
2

@varanjo You can do import of entitlements with value, and displayname. In that way, you can have a meaningful name in IIQ.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(:heart:,:+1:, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

3

What value do you need to correctly correlate accounts that is not currently correlating correctly?

To aggregate shared mailbox attributes as an Entitlement, add sharedMailbox as an account attribute.

  • Name: sharedMailbox

  • Type: String

  • Property: Multivalued, Entitlement, Managed

Add the following in debug to the application to pull in the mailboxes with a name

      <entry key="useDisplayNameForSharedMailbox">
        <value>
          <Boolean>true</Boolean>
        </value>
      </entry>
4

The issue is coming because The default aggregation command fetches wrong data. You cannot correlate SharedMailbox accounts to AD identities properly. Permissions are not being captured correctly as entitlements.

In your application schema, can you please confirm if “mailboxPermissions” is set as entitlement??

I think the fix could be applied using customisation rule by putting something like Pull correct mailbox details for correlation or/and Pull correct mailbox permissions as entitlements.

Check your correlation identifier is set as upn and email.

just one more thing, Make sure your IQService account running the PowerShell has these Exchange Online permissions: View-Only Recipients and Mailbox Search.

Otherwise the “Get-EXOMailboxPermission” call will might fail

5

This is not present in the OOTB Scehma , Should we add it ?

Could you please elaborate on what exactly needs to be done.

IQservice has all the Read permissions and is able to fetch data when running Get-EXOMailboxPermission. But we are unable to use this data for correlation . We are trying to map the permissions to an actual identity. Currently Entra accounts are being correlated to users but no shared mailbox permissions are being mapped. Also when we check the IQService logs we see that the ShareMailbox permission are being read but not mapped. We saw in the IQService logs below was the command used by the connector

6

I have messaged you few steps, which needs to be implemented, can you please go through those steps, and see if it works.

1 Like
7

Could you send me the steps you sent Vanessa? Thank you!