0 votes

I noticed that I get an error when I execute the "https://www.adaxes.com/script-repository/add-user-to-groups-in-microsoft-365-s578.htm, Add user to groups in Microsoft 365" script after a user account is created. I believe this is because Azure AD does not see the new account and it takes time for replication. Am I correct? If so, is there a way around this issue? I'd like to configure automation so that as soon as a new account is created, that new account will be added to the Microsoft 365 group. The screenshot below just shows the error that occurs when trying to add the user to the M365 group as an automated task after the new user account gets created.

We are trying to avoid having to do the following steps manually:

  1. create user in on prem Active Directory (Adaxes)
  2. wait for the sync with Azure AD (takes up to 30 mins)
  3. log into Azure and add the new user to M365 group
  4. go back to Adaxes and modify exchange properties (Alias, SMTP, target address)

Since it takes so long to sync, I cannot automate the above steps.

Actions to occur after account creation.jpg

by (160 points)
edited by
0

Hello,

Do we understand correctly that you are using group-based licensing in Microsoft 365 and you are adding the created user to the group whose members get Microsoft 365 licenses assigned? Additionally, you specified that you need to modify the Exchange properties of the user mailbox. Please, clarify whether the mailbox is created in Exchange Online or you need to have a remote mailbox.

0

We use group-based licensing by logging into Azure and adding a user to the Microsoft 365 License group. Members in that group are then inherited with the M365 license.

We then have to edit that user's exchange properties using an Adaxes custom command. The command modifies properties of the email address by adding SMTP addresses (SMTP:username@domain, username@domain.onmicrosoft.com, username@domain.mail.onmicrosoft.com). It also modifies the ms-Exch-Target-Address property.

Please let me know if that clarifies things for you.

1 Answer

0 votes
by (14.9k points)

Hello,

Thank you for specifying. To achieve the desired, you need to create the related Microsoft 365 account first. To do so, you can use the Activate or modify Microsoft 365 account action executed in the business rule triggering After creating a user. In the action configuration, do not select any licenses, just activate the account and it will create a user in Microsoft 365. However, the account creation takes some time. To be sure that the account actually exists before adding it to the Microsoft 365 group, the following approach can be used. You can mark the account by setting, for example, a custom Boolean attribute to True in the business rule triggering After creating a user. Then create a scheduled task that will check whether the user is marked and whether the account actually exists in Microsoft 365. If the conditions are met, the task will run the script that adds the user to the required group and clear the custom Boolean attribute. To check if the user is marked, use the If <property> <relation> <value> condition. To check if the account exists in Microsoft 365, run the below script in the If PowerShell script returns True condition.

To connect to Microsoft 365, the script uses the credentials specified in the Run As section of the condition settings.

image.png

For the script to work, you need to install Microsoft Azure Active Directory Module on each computer where Adaxes service is running.

$Context.ConditionIsMet = $False

# Get Microsoft 365 Object ID
try
{
    $objectId = [Guid]$Context.TargetObject.Get("adm-O365ObjectId")
}
catch
{
    return
}

# Connect to Microsoft 365
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)
Connect-MsolService -Credential $credential

try
{
    # Get user in Microsoft 365
    Get-MsolUser -ObjectId $objectId -ErrorAction Stop
}
catch
{
    return
}

$Context.ConditionIsMet = $True

Regarding the modification of the mailbox properties. The mailbox gets created once the user gets the Microsoft 365 license assigned that grants access to Exchange Online. The mailbox creation takes some time as well. It means that you can use the same approach with marking the users and then processing them in a scheduled task. The task will check if the user is marked and has a mailbox in Exchange Online. If the conditions are met, the task will execute the custom command modifying Exchange properties. To make sure that a mailbox exists in Exchange Online, the following script from our repository can be used: https://www.adaxes.com/script-repository/check-whether-user-has-mailbox-in-exchange-online-s303.htm. Finally, the task will clear the custom Boolean attribute used as the mark. Both, the addition to the group and mailbox modifications can be done in a single scheduled task. The task configuration should look like the following:

image.png

For your information, if you assign Microsoft 365 licenses in Adaxes, there is no need to use scheduled tasks and perform all these checks. You can simply assign a Microsoft 365 license with access to Exchange Online in a business rule triggering After creating a user. And in the same rule, right after the action that assigns the license, you can add the action that modifies the Exchange properties of the user mailbox. In this case, Adaxes will periodically check in the background if the mailbox already exists, and will perform the specified modification automatically once the mailbox actually exists.

0

Thank you for the detailed information; that’s precisely the logic I was looking to apply but wasn’t sure how to do. I will give this a try this week.

+1

Hello,

A version of Adaxes the supports management of Azure AD objects is released. You can download it from here.

What’s New

Upgrade instructions

0

Thanks for the update. Will this allow us to add user objects to groups in Azure AD? In our hybrid AD/Azure AD environment, we add users to an M365 License Group in Azure AD for their account to have an active mailbox. Will this 2023 version allow us to add that new user to the Azure AD M365 License group from Adaxes? We currently have this process scripted using a Business Rule and a Scheduled Task in Adaxes. We would like to know if this new version will allow us to bypass the Business Rule and Scheduled Task and manage that function directly.

0

Hello,

Yes, in Adaxes 2023 you can automate Azure AD group membership same way like for on-premises AD groups without using scripts.

0

Is there a new updated script to check if an account exists in Microsoft 365? The current one stopped working for me.

This script:

image.png

0

Hello,

There were no changes in Adaxes 2023 that might affect your script. As per our check, it should be working fine. If you face any issues, please, describe them in all the possible details with live examples.

0

After creating a user, we have an action that adds a CustomAttributeBoolean1 and sets it to true. We then have a scheduled task with two conditions: 1. checks if the CustomAttributeBoolean1 property is true 2. The script that returns true if the new user account exists in MS 365. If both conditions are met then there is another scipt that connects to Azure and adds the user to the Microsoft 365 License group. I've tested the scheduled task by removing the 'check if account exists in MS 365' script and the task was successful. The portion that does not seem to work is the script. I've also confirmed that the account does exist in MS 365 by logging in and searching for it.

Screenshot of boolean attribute on the new test account:

image.png

Screenshot of the script that checks if account exists in MS 365 then returns 'true' if it exists (Note: we tried both Run as: 'Adaxes service account' and 'This account' options):

image.png

Screenshot with the script removed and the activity history shows that the task worked successfully:

image.png

0

Hello,

Thank you for the provided details.

Screenshot of the script that checks if account exists in MS 365 then returns 'true' if it exists (Note: we tried both Run as: 'Adaxes service account' and 'This account' options)

The script only works when the credentials are specified in the This account option of the Run as section. Also, it has to be an account which has corresponding permissions in Microsoft 365.

I've also confirmed that the account does exist in MS 365 by logging in and searching for it.

Please, check Microsoft 365 properties for the user in Adaxes Administration console. Do you see them properly?

0

As a test, I've ran the script with my own credentials and it did not work. My credentials have the correct permissions in Microsoft 365.

Also, looking at the Microsoft 365 properties for the test account in the Adaxes Admin Console and yes I see them properly.

I will contact Adaxes Support for further troubleshooting.

0

Hello,

Thank you for the provided details. This is also Adaxes support replying here. We will keep going with the discussion in the ticket you opened.

Related questions

0 votes
1 answer

I'm currently writing an "After User Creation" rule and I have a PowerShell script that adds the newly created, on-premises synced user to a handful of cloud ... powershell cmdlet that fails. I need to use PowerShell for the additional condtional flexibility.

asked Dec 13 by smcfarland (60 points)
0 votes
1 answer

EDIT: Actually, it would be better if I could just add the ownerDN to the groups automatically regardless of the initiator! Would that make it easier? Hi All, I have ... for approval for users being added to groups, can this request bypass that? Thanks John.

asked Sep 29, 2015 by bistromath (840 points)
0 votes
1 answer

Is there a way to add Microsoft Defender for Office 365 Plan 2 licenses from Adaxes? Currently it is not showing in the list of available licenses to modify. The endpoint ... the E3 license is showing up no problem, just not the standalone one for O365.

asked Aug 20 by Alex23 (50 points)
0 votes
0 answers

I noticed that other identity management solutions have a way for new user to claim their account. This would be helpful so we can help all of our new students (who do not ... ) claim their account and reduce the burden on our help desk. Thanks for your help.

asked Aug 29, 2020 by rmedeiros (380 points)
0 votes
1 answer

How can I create a script that does these things For internal audit. objective Even removing all groups of a disconnected user, we will still know which groups the ... in the created group (audit)-sAMAccountName-access add the (user)-sAMAccountName in members

asked Jul 2, 2022 by alancardoso (40 points)
3,589 questions
3,278 answers
8,303 comments
548,116 users