Managing Exchange "On Premise" and Exchange Online


We are facing a new challenge with an Integration in IIQ and we are looking for some help/guidance/recipe for this.

We have the requirement to manage Exchange “on premise” and Exchange Online through IdentityIQ.
We are a bit lost on how to start that kind of integration…

We know that we can manage mailboxes, mailNicknames, aliases (proxyAddresses) and so on through the AD Direct Connector,
but the connector documentation does not clearly indicate which exchanges operations are possible, so this is hard to know if we can cover all the requirements. Can we manage archiving ? RemoteMailbox ? can we disable EmailAddressPolicyEnabled ?

As for Exchange Online, I can see that the O365 connector was deprecated and that we should use the Azure AD connector.
The issue is that we are in Read-Only with Azure (everything related with Azure in our company is managed through the AD on prem and replicated to Azure)

Do we know if there is a way to manage Exchange Online without going in full Provisioning with the Azure Connector ?

Any information that could help us would greatly appreciate it.

In general, you’re going to have to write Powershell for this.

What I usually do is:

  • Use the AD connector for the basic provisioning, including on-prem mailboxes.
  • In the AD connector’s “After Provisioning” rule, fire off a workflow delayed by 1-2 minutes (to allow AD to replicate). My workflow is usually called “AD After Provisioning”. You would use the “Workflow Request” request type for this delayed invocation.
  • In the workflow, check to see whether a remote mailbox is required and invoke a Powershell rule (and/or script) to do so. (That article is slightly outdated, with some code updates in the linked Compass post. I need to update both of them.)

You can do other things in the workflow, too, like email notifications, etc.

If you need to wait for AD to Azure sync before you create Azure-related artifacts, you can also include an arbitrary delay between two workflow steps.

One big advantage of using a workflow is that the actions can be “replayed”. If something fails, you can have a loop in the workflow that tries again after five minutes. You can also manually launch the same workflow via QuickLink as an administrator or IT helpdesk person.


Agree With @drosenbauer ,

I also did in same way using PowerShell scripts as nativeRule in Active Directory application.

agree with @drosenbauer

I haven’t used Workflow approach yet, that’s a very good approach.

I have done simple implementation using AD Groups, you can refer this topic and find my response there.
On Premise Exchange Setup - IdentityNow (IDN) / Discussion and Questions - SailPoint Developer Community Forum

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.