Add Users directly to M365 groups in workflow or policies

Hi,

We are currently setting up ARS 7.4.4 and trying to add a user to a M365 group (cloud only, not synced from on-premise) using a workflow or provisioning policy however we have been unable to get this to work.

Has anyone been able to achieve this without custom scripts? 

All help is appreciated.

Thanks in advance. 

Parents
  • There are known issues affecting Modern Auth in v7.4.3/v7.4.4 (e.g., see Support article 334000); is your tenant configured for Modern Auth?

  • Hi  , yes our tenant is configured for modern auth however we have disabled this but not had much luck. Have you been able to add a hybrid user to a M365 group (cloud only) using a workflow or provisioning policy? Additionally are you able to create a cloud only contact as part of a workflow or provisioning policy? We have upgraded to 7.4.5 but I'm not sure what functionality has been included from 7.4.4 for cloud objects? 

  •   have you managed to add users directly to M365 groups from a workflow or policy in 7.4.5? 

  • As a quick update, I was able to finally configure my workflow to successfully import the ExchangeOnlineManagement module. That is, I was able to successfully run the following script:

    function myFunction() {
      param(
        $request
      )
      
      $context.O365ImportModules("ExchangeOnlineManagement")
    }

    Obviously this code does not do anything useful (yet), but it's good news because it's the first time I was able to run this through without any error. The key was that the O365 Script execution configuration activity in the workflow had to be configured with a tenant ID, but not an application ID/secret:

    I'll be happy to continue testing now that this appears to be working.

    That said, the same script above is currently not working with the AzureAD module. That is currently producing the following error message for me:

    Will update again when I have more information to share.

    Cheers!

  • One other update. It was brought to my attention that I may have misinterpreted 's original question. Specifically, I had assumed that the question was about using the workflow ability to call $context.O365ImportModules, which then allow you to execute your own PowerShell code (to add a user to a group, in this case). Instead, I realise now that the original question may have been more about adding a user to an M365 group without any code. To that, I would have to assume the answer to be no, unless you have something going on with the Sync Service.

    Putting this aside, I've heard from a couple of people that they are still interested in the results of my test, so will continue to update when I get more news.

  • i have the same when importing azureAD module. Any hints here?

  • I believe there's a general misunderstanding here about the $context.O365ImportModule methodTo the best of my understanding, it is not used to import the actual individual PoSh modules but rather to initialize Active Roles overall M365 PoSh support.  Effectively, what it does is load / instantiate the MSOnline, ExchangeOnlineManagement and AzureAD modules simultaneously (assuming these are installed on the AR server).

    Note also that the method is singular $context.O365ImportModule - i.e. no 's' on the end.

    So, the "standard" implementation should be:

    $context.O365ImportModule("MsOnline") - "MsOnline" in this case is only a label representing connectivity to M365.  It is admittedly confusing - it probably would have been smarter to use something like "M365".

    I have experienced this myself where I was able to called Set-Mailbox after calling this method as shown above - a cmdlet that comes from the ExchangeOnlineManagement PoSh module.

    Perhaps others have seen other results?


  • Thanks for the fast feedback. If i want to import MSOnline i do get the folling error as well:

    "Specified Mdoule msonlinenot supported"

    The documentation of using powershell scripts in azure/m365 context is just not detailed.. It is frustrating


    This is my code i am using where i have a Workflow Search Activity (which is working).

     function SearchUsersAndAssignLicense2() {
        $context.O365ImportModule("MsOnline")  
        $users = $workflow.FoundObject("SearchAzureUsers")
        $users  >> C:\tmp\trops.txt

        foreach ($u in $users)
        {
        $DN = $u.get("distinguishedname")
             $azureObjId = (Get-QADObject $DN -IncludedProperties "edsvaAzureObjectId").edsvaAzureObjectId
         $azureObjId >> C:\tmp\trops.txt
             
        }  }

    Greetz

  • You don't need to use the $context.O365ImportModule for this at all as you are not actually calling any Azure cmdlets.

    So you can remove that line and change your Get.. thus:

    $azureObjId = (Get-QADObject -proxy -identity $DN -IncludedProperties "edsvaAzureObjectId").edsvaAzureObjectId

    ...your AR server's existing connection to the tenant should get you the object properties

  • yeah that is true but what if i want to use o365 cmdlets? THerefore i understand to use $context.O365ExecuteScriptCmd(get-azureaduser) for example

    Is this wrong?

  • That in itself is correct if you need to pull Azure object properties that are not presented through Active Roles.  

    The thing is that's important to understand is that you need to build a list of the commands that you want to execute into a CR/LF delimited list and then pass that to the ScriptCmd call.

  • okay i try to make it more explicit. i want to set following commandlets in the deprovision process of Active Roles, perhaps you can help me and clear the whole situation:

    Connect-IPPSSession

    and afterwarts a set-retentioncompliancepolicy

    how can I import the different cmdlets needed here?

    Thanks in advance,

    Michael

Reply
  • okay i try to make it more explicit. i want to set following commandlets in the deprovision process of Active Roles, perhaps you can help me and clear the whole situation:

    Connect-IPPSSession

    and afterwarts a set-retentioncompliancepolicy

    how can I import the different cmdlets needed here?

    Thanks in advance,

    Michael

Children
No Data