• State Suggested Answer
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 66 subscribers
  • Views 603 views
  • Users 0 members are here
Options
Related

Add cloud only group upon user cloud creation

pierre louis javelle

Hello 

Context: Active Role Server 8.2.1, Azure

I am trying to do ‘Group Membership AutoProvisioning’ on cloud-only users for cloud-only groups. My goal is that when I create a cloud-only account via Active Role, the new account is automatically added to a list of cloud-only groups.

I tried to do this via a policy, but I get this error message: " Search failed. Path = CN=a4gkslod56bdhjdsj...., CN=Security Groups, CN=toto.onmicrosoft.com,CN=Azure,CN=configuration' was not found " but the group exist in my tenant. 

I have try to do it in a script execution in the policy like so:

 function assgin-Group($Request) {
    	
    $context.O365ImportModules(@(
        "Microsoft.Graph.Users",
        "Microsoft.Graph.Groups",
        "Microsoft.Graph.Authentication"
    ))


$idgroup1="a4d9f62d-fbad-42c7-b6b8-f7fac2880ed5"
$userid=$Request.Get("edsaAzureUserId")
$cmd="New-MgGroupMember -GroupId $idgroup1 -DirectoryObjectId $userid"
$context.O365ExecuteScriptCmd($cmd)
$context.O365RemoveAllModulesSessions()
}

on a fonction onPostCreat but it doesn't work. 

I have try to do it in a workflow.

If anyone has encountered this problem before or has any ideas, I'm all ears.

  • 0

    Long time since this question was posed, but I ran into a very similar issue to what you are describing.

    The issue in my case was that ARS appears to use a "temporary"  id as part of $Request object while it is being created in Entra -- so you cannot just read it directly as part of the workflow.

    Only after creation in Entra does the 'final' Object ID get assigned correctly.

    Funny enough though, in the same onPostCreate event handler, I was able to run a query like below to read the correct ID:

    $CreatedGroupID = (Get-QADObject -SearchRoot "CN=Azure,CN=Configuration" -DontUseDefaultIncludedProperties -Type edsAzureSecurityGroup -DisplayName $displayName).Name

    ... which I could then use to pass that ObjectID (in my case it was a groupID not a userID being added to another group) to the New-MgGroupMember command

    Note that 'Name' is what returned the final ObjectID post-Creation -- and I searched using DisplayName but should work for a similar supported field

    That method may be ugly but worked fine (and consistently)  -- though you get a null return for success, error on failure (so trap accordingly)

    Hope that helps.

  • 0 in reply to adrian wolf

    This is interesting but not surprising as this exactly how AR creates objects in AD.  It starts off with a "GUID'y" temporary CN and then the actual values get written post-policy processing.