0 votes

I noticed that I get an error when I execute the "https://www.adaxes.com/script-repository/add-user-to-groups-in-microsoft-365-s578.htm, Add user to groups in Microsoft 365" script after a user account is created. I believe this is because Azure AD does not see the new account and it takes time for replication. Am I correct? If so, is there a way around this issue? I'd like to configure automation so that as soon as a new account is created, that new account will be added to the Microsoft 365 group. The screenshot below just shows the error that occurs when trying to add the user to the M365 group as an automated task after the new user account gets created.

We are trying to avoid having to do the following steps manually:

  1. create user in on prem Active Directory (Adaxes)
  2. wait for the sync with Azure AD (takes up to 30 mins)
  3. log into Azure and add the new user to M365 group
  4. go back to Adaxes and modify exchange properties (Alias, SMTP, target address)

Since it takes so long to sync, I cannot automate the above steps.

Actions to occur after account creation.jpg

by (140 points)
edited by
0

Hello,

Do we understand correctly that you are using group-based licensing in Microsoft 365 and you are adding the created user to the group whose members get Microsoft 365 licenses assigned? Additionally, you specified that you need to modify the Exchange properties of the user mailbox. Please, clarify whether the mailbox is created in Exchange Online or you need to have a remote mailbox.

0

We use group-based licensing by logging into Azure and adding a user to the Microsoft 365 License group. Members in that group are then inherited with the M365 license.

We then have to edit that user's exchange properties using an Adaxes custom command. The command modifies properties of the email address by adding SMTP addresses (SMTP:username@domain, username@domain.onmicrosoft.com, username@domain.mail.onmicrosoft.com). It also modifies the ms-Exch-Target-Address property.

Please let me know if that clarifies things for you.

1 Answer

0 votes
by (6.2k points)

Hello,

Thank you for specifying. To achieve the desired, you need to create the related Microsoft 365 account first. To do so, you can use the Activate or modify Microsoft 365 account action executed in the business rule triggering After creating a user. In the action configuration, do not select any licenses, just activate the account and it will create a user in Microsoft 365. However, the account creation takes some time. To be sure that the account actually exists before adding it to the Microsoft 365 group, the following approach can be used. You can mark the account by setting, for example, a custom Boolean attribute to True in the business rule triggering After creating a user. Then create a scheduled task that will check whether the user is marked and whether the account actually exists in Microsoft 365. If the conditions are met, the task will run the script that adds the user to the required group and clear the custom Boolean attribute. To check if the user is marked, use the If <property> <relation> <value> condition. To check if the account exists in Microsoft 365, run the below script in the If PowerShell script returns True condition.

To connect to Microsoft 365, the script uses the credentials specified in the Run As section of the condition settings.

image.png

For the script to work, you need to install Microsoft Azure Active Directory Module on each computer where Adaxes service is running.

$Context.ConditionIsMet = $False

# Get Microsoft 365 Object ID
try
{
    $objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
    return
}

# Connect to Microsoft 365
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)
Connect-MsolService -Credential $credential

try
{
    # Get user in Microsoft 365
    Get-MsolUser -ObjectId $objectId -ErrorAction Stop
}
catch
{
    return
}

$Context.ConditionIsMet = $True

Regarding the modification of the mailbox properties. The mailbox gets created once the user gets the Microsoft 365 license assigned that grants access to Exchange Online. The mailbox creation takes some time as well. It means that you can use the same approach with marking the users and then processing them in a scheduled task. The task will check if the user is marked and has a mailbox in Exchange Online. If the conditions are met, the task will execute the custom command modifying Exchange properties. To make sure that a mailbox exists in Exchange Online, the following script from our repository can be used: https://www.adaxes.com/script-repository/check-whether-user-has-mailbox-in-exchange-online-s303.htm. Finally, the task will clear the custom Boolean attribute used as the mark. Both, the addition to the group and mailbox modifications can be done in a single scheduled task. The task configuration should look like the following:

image.png

For your information, if you assign Microsoft 365 licenses in Adaxes, there is no need to use scheduled tasks and perform all these checks. You can simply assign a Microsoft 365 license with access to Exchange Online in a business rule triggering After creating a user. And in the same rule, right after the action that assigns the license, you can add the action that modifies the Exchange properties of the user mailbox. In this case, Adaxes will periodically check in the background if the mailbox already exists, and will perform the specified modification automatically once the mailbox actually exists.

0

Thank you for the detailed information; that’s precisely the logic I was looking to apply but wasn’t sure how to do. I will give this a try this week.

Related questions

0 votes
1 answer

EDIT: Actually, it would be better if I could just add the ownerDN to the groups automatically regardless of the initiator! Would that make it easier? Hi All, I have ... for approval for users being added to groups, can this request bypass that? Thanks John.

asked Sep 29, 2015 by bistromath (840 points)
0 votes
0 answers

I noticed that other identity management solutions have a way for new user to claim their account. This would be helpful so we can help all of our new students (who do not ... ) claim their account and reduce the burden on our help desk. Thanks for your help.

asked Aug 29, 2020 by rmedeiros (360 points)
0 votes
1 answer

How can I create a script that does these things For internal audit. objective Even removing all groups of a disconnected user, we will still know which groups the ... in the created group (audit)-sAMAccountName-access add the (user)-sAMAccountName in members

asked Jul 2 by alancardoso (20 points)
0 votes
1 answer

Hi Guys, I'm trying to clean all users from Local Group test_group, and next new bunch of users form TXT fiel, by executing the following script as a scheduled task Import-Module ... .txt I have only 600 users. Do you have any idea how to improve this script?

asked Feb 27, 2015 by axmaster (510 points)
0 votes
1 answer

I have a business rule to create a user in our AD, and then have it create a new O365 account and assign it a license. How can I have it create a temporary password that I specify during that business rule?

asked Jun 17, 2020 by keecit (40 points)
2,780 questions
2,513 answers
6,578 comments
27,291 users