Manage Exchange Online Attributes from IdentityIQ

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

IdentityIQ 8.3p3

Please share any images or screenshots, if relevant.

image
image1073Ă—624 134 KB

Share all details about your problem, including any error messages you may have received.

Hi Everyone,
Currently , I am working on managing exchange online attributes from SailPoint IdentityIQ and I need your help to check if few attributes can be aggregated / updated /managed from external sources via Microsoft Graph API / Azure AD Connector.
We have Azure AD connector setup and in order to manage exchange online we are using certificate based authentication. We are able to preview the EXO_<Attributes> when updated in the account schema.

Use Case : Set the Retention Policy and Disable Mobile (Exchange Active Sync) for the newly created users in exchange online from SailPoint IdentityIQ.
SailPoint IdentityIQ now connects to exchange online using certificate based (App only) authentication mechanism. IdentityIQ connector will be able to manage the exchange online attributes if we update the appropriate attribute name with the format EXO_<AttributeName> under SailPoint application account schema as shown below. I can figure out the attribute for RetentionPolicy and when added under account schema we can see the values for the user accounts.
The issue here is that we are unable to figure out the appropriate attribute name for Mobile(Exchange Active Sync) .
The below power shell script is executed to disable the active sync for use.

Set-CasMailbox -Identity <MailboxIdentity> -ActiveSyncEnabled <$true | $false>

But when I add EXO_ under schema , it says invalid property in the IQ Service logs (which means incorrect attribute). I have tried many attribute names, but nothing works. Here are the few combinations.

EXO_ActiveSyncEnabled, EXO_IsActiveSyncEnabled, EXO_SyncEnabled, EXO_MobileActiveSync, EXO_ExchangeActiveSyncEnabled, EXO_EASEnabled

Can you please let us know if Mobile Active Sync can be set via external sources , if yes what is the appropriate attribute name.

Regards,
Abhilash

1 Like
2

I believe the PowerShell command you’re using is correct for enabling or disabling ActiveSync. While provisioning shared mailbox attributes often requires the EXO prefix, I don’t think that’s applicable in this case for managing these specific attributes.

3

Hi Sunny, thanks for the reply. We have opened a sailpoint case and they confirmed that Azure Active Directory connector currently does not support managing the attribute mobile active sync. I need to use IQ Service to execute the power shell scripts. But when I execute the script I see below error . can you please help me on this
10/22/2024 10:55:40 : RpcHandler [ Thread-46 ] ERROR : “Malformed request received from client - Q01RAP004.amerus.corp.tld:55010. Received header length as - Error in parsing - Input string was not in a correct format.”

4

Hi @VABHI1994

The error message you’re encountering suggests an issue with the format of the request being sent to the IQService. Please check below

  1. Ensure that the input string being passed to the PowerShell script adheres to the expected format. Review how parameters are constructed in your RpcRequest.
  2. You can test it independently the script in a PowerShell console.
  3. Ensure that the IQService is properly configured to handle RPC requests. Check logs for any additional error messages that might provide more context.
5

How are you invoking the IQService? Are you using this method?

6

Hi All,
Even if i have execute a sample power shell code I see the error.
Please see the code and power shell script I executed.

RPCService service = new RPCService("host",port, true);
			AccountRequest accRequest = new AccountRequest();
				
			AttributeRequest attrRequest = new AttributeRequest("identity", "[email protected]");
			accRequest.add(attrRequest);
			
			Map data = new HashMap();
			data.put("Request", accRequest);
			data.put("postScript", "Custom Rule: setRetentionPolicy");
			data.put("Application", "Azure Active Directory Production");
			RpcRequest rpcRequest = new RpcRequest("ScriptExecutor", "runAfterScript", data);
			
			RpcResponse rpcResponse = service.execute(rpcRequest);
String result ="success";

Below is the sample powershell code

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell"  name="Custom Rule: setRetentionPolicy" type="ConnectorAfterCreate">
  <Attributes>
    <Map>
      <entry key="ObjectOrientedScript" value="true"/>
      <entry key="disabled" value="false"/>
      <entry key="extension" value=".ps1"/>
      <entry key="program" value="powershell.exe"/>
      <entry key="timeout" value="120"/>
    </Map>
  </Attributes>
  <Description>  
  This example is for IQService Script.    
  </Description>
  <Signature returnType="Map">
    <Inputs>
      <Argument name="email">
        <Description>
            Email address to call powershell script 
        </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name="response">
        <Description>
            Response of the Powershell script.
          </Description>
      </Argument>
    </Returns>
  </Signature>
  <Source>
Add-type -path D:\IQService\Utils.dll

"Hello World" | Out-File C:\Users\E46005p\result.txt

  </Source>
</Rule>

Kindly suggest if I am missing anything

7

You need to put the rule itself (the actual Rule object) in as your “postScript”.

Also, the “Application” field needs to be the Attributes from your application object.

The RPCService doesn’t know how to translate strings.

8

I just updated the code and executed the rule . But I still see the same error . below is the code for reference

 Rule powershellRule = context.getObject(Rule.class,	"Custom Rule: setRetentionPolicy");
		
			RPCService service = new RPCService(host,port, true);
			AccountRequest accRequest = new AccountRequest();
          Application azureApp = context.getObjectByName(Application.class,"Azure Active Directory Production");
				
			AttributeRequest attrRequest = new AttributeRequest("identity", "nameOfUser");
			accRequest.add(attrRequest);
			
			Map data = new HashMap();
			data.put("Request", accRequest);
			data.put("postScript", powershellRule);
			data.put("Application",azureApp );
			RpcRequest rpcRequest = new RpcRequest("ScriptExecutor", "runAfterScript", data);
			
			RpcResponse rpcResponse = service.execute(rpcRequest);
9

Not the whole application - azureApp.getAttributes() is what goes in the map.

1 Like
10

Thanks. I am able to successfully run the RPC request now. I ran into a different issue now, I see that the script file is getting generated in the IQ Service folder. But the script is not actually getting executed. When i execute the script manually from powershell , it works fine and appends the file. But it is not getting executed from sailpoint.
please provide your inputs on this.

11

Does the user that the IQService runs as have access to that file?

12

I have installed, IQService without any user and the file that needs to be appended is also in the IQService Folder.
I have validated few things such as

  • Checked if RSAT is installed on the windows server
  • Checked if there is a permission issue for the folder

Everything looks good. the powershell script is executed from SailPoint rule and there is a local copy has been created under IQService folder, but the script is not getting executed on the server. I receive the response as script has been executed but it is not.

Response received from IQ Service

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE RpcResponse PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<RpcResponse complete="true" requestId="5848e471-9ba5-4a0e-8044-894e3c096af2" version="1.0">
  <ResultAttributes>
    <Map>
      <entry key="requestProcessedOn" value="10/25/2024 10:37:45 AM"/>
    </Map>
  </ResultAttributes>
</RpcResponse>

The powershell i am trying to execute is a small code to append a file with a string to check if we can execute the scripts. The local file is created but the file is not created / appended ( it works as expected when I execute it with windows powershell).

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1729864900696" id="0a79525d928c17d18192c3fba05845d4" language="beanshell" modified="1729870461167" name="MyPowerShellRule" type="ConnectorAfterCreate">
  <Attributes>
    <Map>
      <entry key="ObjectOrientedScript" value="true"/>
      <entry key="disabled" value="false"/>
      <entry key="extension" value=".ps1"/>
      <entry key="program" value="powershell.exe"/>
      <entry key="timeout" value="120"/>
    </Map>
  </Attributes>
  <Description>  
  This example is for IQService Script.    
  </Description>
  <Signature returnType="Map">
    <Inputs>
      <Argument name="email">
        <Description>
            Email address to call powershell script 
        </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name="response">
        <Description>
            Response of the Powershell script.
          </Description>
      </Argument>
    </Returns>
  </Signature>
  <Source>
Add-type -path D:\IQService\Utils.dll

"write something" | Out-File D:\IQService\result.txt

  </Source>
</Rule>

Let me know if I have to check any thing.
FYI, the IQService which I am using is installed for Azure Active Directory .
We do have a different IQService for AD Connector, when I use AD IQ Service , the scripts executes successfully and the file is created / appended.

13

I observed few things. Mentioning these details so that other people can get some information.
We have two IQ Service

  • 1st IQ Service - is used by for AD configuration, where GUI is not enabled and it is a windows core server
  • 2nd IQ Service - Installed on a different Windows server , and used for Azure Active Directory where certificate based authentication is enabled to manage exchange online attributes
    1st Scenario
    As part of RPC Request if I pass “Azure Active Directory” application and use the 2nd IQService (that we installed recently to manage exchange online attributes from Azure connector) Application , the local file of script is generated in the IQ Service folder and script is not actually executed.
    2nd Scenario
    As part of RPC Request if I pass “AD” application and use the 2nd IQService (that we installed recently to manage exchange online attributes from Azure connector) Application , the local file of script is generated in the IQ Service folder and script is executed successfully.

I am able to complete the use case , but still trying to find out why the powershell script is not executed when we pass Azure application attributes to RPC request.
I will provide an update if I get any information on this.
Conclusion : The powershell scripts are getting executed via IQService only if we pass “AD” application attributes to RPC Request.

Thanks everyone for providing your inputs.

14

Hi
how can i change mailbox type via connector provisioning?
is it possible via Azure connector as it is wit Active Directory?
Exch_Type ?
thanks

15

if this attribute can be managed via connector , then we can directly add EXO_ in the schema. If not the other approach would be execute the powershell scripts

16

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.