Further documentation on User Synchronization with MsGraph Powershell connector

Identity Governance & Administration (IGA) Application Onboarding
1

Hello,

I posted a comment on another recent thread asking for some more information but thought I’d try starting a new thread on this instead. Is there any other documentation for setting up user synchronization using msgraph powershell connector?. I am trying to set up the MsGraph Powershell connector for user sync per the documentation: Microsoft Graph PowerShell connector

I have the connector configured and verified the connection to RabbitMQ is working. I installed the connector on the same server the AD Connector is installed on and the AD Connector is working fine. I’ve set up the OpenIAM side as best I can figure (similar to the AD Powershell settings), but don’t see any specifics in the documentation on how to do this exactly.

I am getting the following error message when I try to sync the user:

image
image1056×153 28.8 KB

I am using version 4.2.1.10 with the Docker installation (It’s just a POC). I didn’t change anything in the connector configuration. My Managed System is set up as follows:

image
image1603×768 35.2 KB

My Sync is set up as follows:

image
image1487×873 56.2 KB

I verified I can connect to msgraph using the app/tenant IDs above and the thumbprint:

image
image838×125 25.6 KB

And I can query for user information using the SQL Query/Directory Filter from the sync:

image
image838×257 51.3 KB

I’m sure I’m missing something silly. Can anyone point me in the right direction? The only thing I haven’t done in the existing documentation is change the access of the application in Azure to Read/Write as this is a POC and it doesn’t need to write data.

Any help is appreciated!

2

Hi @netrunner2077

Can you please share us the full stack trace of the error you are getting?

Thanks,

3

This is the full message in the Log Viewer window:

Sync process is started for Azure Auth Assignments(SYNC_AZURE_GRAPH_USER) at 04/21/2025 13:39:33

can’t retrieve lineObjects from target system. null,SYNCHRONIZATION_EXCEPTION,BasicDataServiceException was thrown

java.lang.NullPointerException at org.openiam.sync.service.impl.srcadapter.processor.AbstractSyncObjectProcessor.getAttributeIds(AbstractSyncObjectProcessor.java:344) at org.openiam.sync.service.impl.srcadapter.processor.AbstractSyncObjectProcessor.search(AbstractSyncObjectProcessor.java:308) at org.openiam.sync.service.impl.srcadapter.adapters.AbstractSrcAdapter.startSynch(AbstractSrcAdapter.java:742) at org.openiam.sync.service.impl.service.SynchronizationDataServiceImpl.startCustomSynchronizationTask(SynchronizationDataServiceImpl.java:399) at org.openiam.sync.service.impl.service.SynchronizationDataServiceImpl.startCustomSynchronizationTask(SynchronizationDataServiceImpl.java:319) at org.openiam.sync.service.impl.service.SynchronizationDataServiceImpl.startSynchronization(SynchronizationDataServiceImpl.java:108) at org.openiam.sync.mq.AsynchronSynchronizationMessageListener$2.doProcess(AsynchronSynchronizationMessageListener.java:80) at org.openiam.sync.mq.AsynchronSynchronizationMessageListener$2.doProcess(AsynchronSynchronizationMessageListener.java:68) at org.openiam.common.mq.listener.AbstractListener.processRequest(AbstractListener.java:125) at org.openiam.common.mq.listener.AbstractListener.processingCrudRequest(AbstractListener.java:311) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.springframework.messaging.handler.invocation.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:169) at org.springframework.messaging.handler.invocation.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:119) at org.springframework.amqp.rabbit.listener.adapter.DelegatingInvocableHandler.invoke(DelegatingInvocableHandler.java:186) at org.springframework.amqp.rabbit.listener.adapter.HandlerAdapter.invoke(HandlerAdapter.java:88) at org.springframework.amqp.rabbit.listener.adapter.MessagingMessageListenerAdapter.invokeHandler(MessagingMessageListenerAdapter.java:261) at org.springframework.amqp.rabbit.listener.adapter.MessagingMessageListenerAdapter.invokeHandlerAndProcessResult(MessagingMessageListenerAdapter.java:207) at org.springframework.amqp.rabbit.listener.adapter.MessagingMessageListenerAdapter.onMessage(MessagingMessageListenerAdapter.java:146) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:1665) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.actualInvokeListener(AbstractMessageListenerContainer.java:1584) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:1572) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.doExecuteListener(AbstractMessageListenerContainer.java:1563) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.executeListener(AbstractMessageListenerContainer.java:1507) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.doReceiveAndExecute(SimpleMessageListenerContainer.java:967) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.receiveAndExecute(SimpleMessageListenerContainer.java:914) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.access$1600(SimpleMessageListenerContainer.java:83) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.mainLoop(SimpleMessageListenerContainer.java:1291) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.run(SimpleMessageListenerContainer.java:1197) at java.base/java.lang.Thread.run(Thread.java:829) BasicDataServiceException [code=INVALID_ARGUMENTS, responseValue=null, originalCause=null, errorTokenList=null] at org.openiam.sync.service.impl.srcadapter.adapters.AbstractSrcAdapter.startSynch(AbstractSrcAdapter.java:763) at org.openiam.sync.service.impl.service.SynchronizationDataServiceImpl.startCustomSynchronizationTask(SynchronizationDataServiceImpl.java:399) at org.openiam.sync.service.impl.service.SynchronizationDataServiceImpl.startCustomSynchronizationTask(SynchronizationDataServiceImpl.java:319) at org.openiam.sync.service.impl.service.SynchronizationDataServiceImpl.startSynchronization(SynchronizationDataServiceImpl.java:108) at org.openiam.sync.mq.AsynchronSynchronizationMessageListener$2.doProcess(AsynchronSynchronizationMessageListener.java:80) at org.openiam.sync.mq.AsynchronSynchronizationMessageListener$2.doProcess(AsynchronSynchronizationMessageListener.java:68) at org.openiam.common.mq.listener.AbstractListener.processRequest(AbstractListener.java:125) at org.openiam.common.mq.listener.AbstractListener.processingCrudRequest(AbstractListener.java:311) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.springframework.messaging.handler.invocation.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:169) at org.springframework.messaging.handler.invocation.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:119) at org.springframework.amqp.rabbit.listener.adapter.DelegatingInvocableHandler.invoke(DelegatingInvocableHandler.java:186) at org.springframework.amqp.rabbit.listener.adapter.HandlerAdapter.invoke(HandlerAdapter.java:88) at org.springframework.amqp.rabbit.listener.adapter.MessagingMessageListenerAdapter.invokeHandler(MessagingMessageListenerAdapter.java:261) at org.springframework.amqp.rabbit.listener.adapter.MessagingMessageListenerAdapter.invokeHandlerAndProcessResult(MessagingMessageListenerAdapter.java:207) at org.springframework.amqp.rabbit.listener.adapter.MessagingMessageListenerAdapter.onMessage(MessagingMessageListenerAdapter.java:146) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:1665) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.actualInvokeListener(AbstractMessageListenerContainer.java:1584) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:1572) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.doExecuteListener(AbstractMessageListenerContainer.java:1563) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.executeListener(AbstractMessageListenerContainer.java:1507) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.doReceiveAndExecute(SimpleMessageListenerContainer.java:967) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.receiveAndExecute(SimpleMessageListenerContainer.java:914) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.access$1600(SimpleMessageListenerContainer.java:83) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.mainLoop(SimpleMessageListenerContainer.java:1291) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.run(SimpleMessageListenerContainer.java:1197) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: java.lang.NullPointerException at org.openiam.sync.service.impl.srcadapter.processor.AbstractSyncObjectProcessor.getAttributeIds(AbstractSyncObjectProcessor.java:344) at org.openiam.sync.service.impl.srcadapter.processor.AbstractSyncObjectProcessor.search(AbstractSyncObjectProcessor.java:308) at org.openiam.sync.service.impl.srcadapter.adapters.AbstractSrcAdapter.startSynch(AbstractSrcAdapter.java:742) … 29 more BasicDataServiceException [code=SYNCHRONIZATION_EXCEPTION, responseValue=null, originalCause=null, errorTokenList=null] at org.openiam.sync.service.impl.srcadapter.adapters.AbstractSrcAdapter.startSynch(AbstractSrcAdapter.java:826) at org.openiam.sync.service.impl.service.SynchronizationDataServiceImpl.startCustomSynchronizationTask(SynchronizationDataServiceImpl.java:399) at org.openiam.sync.service.impl.service.SynchronizationDataServiceImpl.startCustomSynchronizationTask(SynchronizationDataServiceImpl.java:319) at org.openiam.sync.service.impl.service.SynchronizationDataServiceImpl.startSynchronization(SynchronizationDataServiceImpl.java:108) at org.openiam.sync.mq.AsynchronSynchronizationMessageListener$2.doProcess(AsynchronSynchronizationMessageListener.java:80) at org.openiam.sync.mq.AsynchronSynchronizationMessageListener$2.doProcess(AsynchronSynchronizationMessageListener.java:68) at org.openiam.common.mq.listener.AbstractListener.processRequest(AbstractListener.java:125) at org.openiam.common.mq.listener.AbstractListener.processingCrudRequest(AbstractListener.java:311) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.springframework.messaging.handler.invocation.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:169) at org.springframework.messaging.handler.invocation.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:119) at org.springframework.amqp.rabbit.listener.adapter.DelegatingInvocableHandler.invoke(DelegatingInvocableHandler.java:186) at org.springframework.amqp.rabbit.listener.adapter.HandlerAdapter.invoke(HandlerAdapter.java:88) at org.springframework.amqp.rabbit.listener.adapter.MessagingMessageListenerAdapter.invokeHandler(MessagingMessageListenerAdapter.java:261) at org.springframework.amqp.rabbit.listener.adapter.MessagingMessageListenerAdapter.invokeHandlerAndProcessResult(MessagingMessageListenerAdapter.java:207) at org.springframework.amqp.rabbit.listener.adapter.MessagingMessageListenerAdapter.onMessage(MessagingMessageListenerAdapter.java:146) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:1665) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.actualInvokeListener(AbstractMessageListenerContainer.java:1584) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:1572) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.doExecuteListener(AbstractMessageListenerContainer.java:1563) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.executeListener(AbstractMessageListenerContainer.java:1507) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.doReceiveAndExecute(SimpleMessageListenerContainer.java:967) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.receiveAndExecute(SimpleMessageListenerContainer.java:914) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.access$1600(SimpleMessageListenerContainer.java:83) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.mainLoop(SimpleMessageListenerContainer.java:1291) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.run(SimpleMessageListenerContainer.java:1197) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: BasicDataServiceException [code=INVALID_ARGUMENTS, responseValue=null, originalCause=null, errorTokenList=null] at org.openiam.sync.service.impl.srcadapter.adapters.AbstractSrcAdapter.startSynch(AbstractSrcAdapter.java:763) … 29 more Caused by: java.lang.NullPointerException at org.openiam.sync.service.impl.srcadapter.processor.AbstractSyncObjectProcessor.getAttributeIds(AbstractSyncObjectProcessor.java:344) at org.openiam.sync.service.impl.srcadapter.processor.AbstractSyncObjectProcessor.search(AbstractSyncObjectProcessor.java:308) at org.openiam.sync.service.impl.srcadapter.adapters.AbstractSrcAdapter.startSynch(AbstractSrcAdapter.java:742) … 29 more BasicDataServiceException [code=SYNCHRONIZATION_EXCEPTION, responseValue=null, originalCause=null, errorTokenList=null] at org.openiam.sync.service.impl.srcadapter.adapters.AbstractSrcAdapter.startSynch(AbstractSrcAdapter.java:826) at org.openiam.sync.service.impl.service.SynchronizationDataServiceImpl.startCustomSynchronizationTask(SynchronizationDataServiceImpl.java:399) at org.openiam.sync.service.impl.service.SynchronizationDataServiceImpl.startCustomSynchronizationTask(SynchronizationDataServiceImpl.java:319) at org.openiam.sync.service.impl.service.SynchronizationDataServiceImpl.startSynchronization(SynchronizationDataServiceImpl.java:108) at org.openiam.sync.mq.AsynchronSynchronizationMessageListener$2.doProcess(AsynchronSynchronizationMessageListener.java:80) at org.openiam.sync.mq.AsynchronSynchronizationMessageListener$2.doProcess(AsynchronSynchronizationMessageListener.java:68) at org.openiam.common.mq.listener.AbstractListener.processRequest(AbstractListener.java:125) at org.openiam.common.mq.listener.AbstractListener.processingCrudRequest(AbstractListener.java:311) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.springframework.messaging.handler.invocation.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:169) at org.springframework.messaging.handler.invocation.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:119) at org.springframework.amqp.rabbit.listener.adapter.DelegatingInvocableHandler.invoke(DelegatingInvocableHandler.java:186) at org.springframework.amqp.rabbit.listener.adapter.HandlerAdapter.invoke(HandlerAdapter.java:88) at org.springframework.amqp.rabbit.listener.adapter.MessagingMessageListenerAdapter.invokeHandler(MessagingMessageListenerAdapter.java:261) at org.springframework.amqp.rabbit.listener.adapter.MessagingMessageListenerAdapter.invokeHandlerAndProcessResult(MessagingMessageListenerAdapter.java:207) at org.springframework.amqp.rabbit.listener.adapter.MessagingMessageListenerAdapter.onMessage(MessagingMessageListenerAdapter.java:146) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:1665) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.actualInvokeListener(AbstractMessageListenerContainer.java:1584) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:1572) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.doExecuteListener(AbstractMessageListenerContainer.java:1563) at org.springframework.amqp.rabbit.listener.AbstractMessageListenerContainer.executeListener(AbstractMessageListenerContainer.java:1507) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.doReceiveAndExecute(SimpleMessageListenerContainer.java:967) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.receiveAndExecute(SimpleMessageListenerContainer.java:914) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.access$1600(SimpleMessageListenerContainer.java:83) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.mainLoop(SimpleMessageListenerContainer.java:1291) at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.run(SimpleMessageListenerContainer.java:1197) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: BasicDataServiceException [code=INVALID_ARGUMENTS, responseValue=null, originalCause=null, errorTokenList=null] at org.openiam.sync.service.impl.srcadapter.adapters.AbstractSrcAdapter.startSynch(AbstractSrcAdapter.java:763) … 29 more Caused by: java.lang.NullPointerException at org.openiam.sync.service.impl.srcadapter.processor.AbstractSyncObjectProcessor.getAttributeIds(AbstractSyncObjectProcessor.java:344) at org.openiam.sync.service.impl.srcadapter.processor.AbstractSyncObjectProcessor.search(AbstractSyncObjectProcessor.java:308) at org.openiam.sync.service.impl.srcadapter.adapters.AbstractSrcAdapter.startSynch(AbstractSrcAdapter.java:742) … 29 more

4

Hi @netrunner2077

The AzureSourceAttribute.groovy script I’ve attached defines the source attributes and should be configured in the ‘Source Attribute Name’ field of the sync setup. Once that’s done, please proceed to run the sync.

AzureUserSyncAttributes.txt (626 Bytes)

image

5

Hey @pradeep.bhalla! Thanks for your response. The script seemed to have taken care of the error that I was getting. However, I am running into another problem. The synchronization starts, but it never returns any results:
image

I verified the command used returns results on the server that the connector is installed on. What else can I check?

6

Hi @netrunner2077
Can you please share the synchronization service logs

7

@pradeep.bhalla, apologies, how is the best way to find those logs? From the log viewer I am seeing the following:

image
image1668×263 63.6 KB

image
image1679×273 30.2 KB

image
image1267×407 21.6 KB

I am also seeing the logs on the connector the following:
{“attributes”:[{“identityName”:“UserPrincipalName”,“identityValue”:null,“originalIdentityValue”:null,“attributes”:[{“name”:“ObjectId”,“values”:null,“primaryKey”:false},{“name”:“MemberOf”,“values”:null,“primaryKey”:false},{“name”:“DisplayName”,“values”:null,“primaryKey”:false},{“name”:“FirstName”,“values”:null,“primaryKey”:false},{“name”:“LastName”,“values”:null,“primaryKey”:false},{“name”:“UsageLocation”,“values”:null,“primaryKey”:false},{“name”:“Id”,“values”:null,“primaryKey”:false},{“name”:“PasswordProfile.Password”,“values”:null,“primaryKey”:false},{“name”:“AccountEnabled”,“values”:null,“primaryKey”:false},{“name”:“MailNickName”,“values”:null,“primaryKey”:false},{“name”:“UserPrincipalName”,“values”:null,“primaryKey”:false},{“name”:“Groups”,“values”:null,“primaryKey”:false},{“name”:“GivenName”,“values”:null,“primaryKey”:false},{“name”:“JobTitle”,“values”:null,“primaryKey”:false},{“name”:“Mail”,“values”:null,“primaryKey”:false},{“name”:“Surname”,“values”:null,“primaryKey”:false},{“name”:“AssignedLicenses”,“values”:null,“primaryKey”:false},{“name”:“AuthenticationMethods”,“values”:null,“primaryKey”:false}],“operation”:“NO_CHANGE”,“type”:“USER”,“metaData”:{“requestID”:“################################”,“executionMode”:null,“managedSystemId”:“AZURE_GRAPH_MS”,“url”:“################################”,“port”:null,“communicationProtocol”:null,“login”:“################################”,“password”:“################################”,“attributes”:[{“name”:“SEARCH_SCOPE”,“values”:[{“value”:“SUBTREE_SCOPE”,“operation”:“NO_CHANGE”}],“primaryKey”:false},{“name”:“SEARCH_QUERY”,“values”:[{“value”:“Get-MgUser -UserId ################################ -Property Id, DisplayName, PasswordProfile.Password, AccountEnabled, MailNickName, UserPrincipalName, Groups, GivenName,JobTitle, Mail, Surname, AssignedLicenses, AuthenticationMethods”,“operation”:“NO_CHANGE”}],“primaryKey”:false},{“name”:“OBJECT_TYPE”,“values”:[{“value”:“USER”,“operation”:“NO_CHANGE”}],“primaryKey”:false}]},“userPassword”:“################################”,“changePrimaryKey”:false}],“id”:null,“parentAuditLogId”:“################################”,“provisionRequestId”:“MS_GRAPH_CONNECTOR”,“requestCreatedForSyncId”:“SYNC_AZURE_GRAPH_USER”,“searchBody”:null,“asyncRequest”:true,“urgentRequest”:false}

Note: I replaced anything that might potentially be sensitive with “################################”.

In any case, it looks like the connector.ps1 script isn’t returning any data.

8

I’ve dug into this further, re-running the connector.ps1 script with the “replay simulation” enabled and configured per PowerShell connector usage and troubleshooting, at first I was getting an error about the AzureAD module not being installed. There are some instructions on the connector page about needing to install that to change passwords, but I am not doing that currently so read those instructions as optional. Now that I have installed the AzureAD module, I am getting an authentication error. Again, I was under the impression that we were using MsGraph and not the AzureAD module so not sure why this is failing. Changing the operation from SAVE to SEARCH also didn’t make a difference as far as requiring this module. Looking at the powershell script it is trying to get the login and password that the managed system is sending, and I’m not sure how that is going to work. I am going to keep digging. Appreciate any other assistance.

9

After a couple more hours digging, I have re-written the connector.ps1 and AzureOIAM.ps1m scripts to use Microsoft Graph powershell commands instead of AzureAD commands. I verified the script is working and and getting user information from Graph. I am not seeing the response in OpenIAM. In the SQLite logs I am seeing the following: Sent to OpenIAM: Operation = ‘SEARCH’, TypeId = ‘SearchUserProvisioningConnectorResponse’, queue = ‘GRAPH_CONNECTOR_Response’.

image
image1813×119 27 KB

image
image1170×506 113 KB

Any ideas?

10

Hi @netrunner2077
Could you please enable debug mode in the connector.config file by setting:

“LogLevel”: 0

“LogSearchResponses”: true

After making these changes, please restart the PSGraph connector service, try syncing again, and share the logs from the connector.

This will tell us what connector sent to OpenIAM.

I wouldn’t recommend making changes in the connector.ps1 as these are not required.

11

Hey @pradeep.bhalla,

I have enabled the logging as you requested. I have also reverted the changes made to the connector.ps1 and azureoiam.ps1m scripts. Here is what I am getting (and you’ll see why I started making changes):

image
image1297×555 154 KB

It indicates that it can’t connect to mggraph because we haven’t called connect-mggraph. If you examine the ps1 scripts (at least that came with my installation) they use connect-azuread and not connect-mggraph. I suspect I am getting this error because my search command is using get-mguser (as detailed in the documentation: Microsoft Graph PowerShell connector). So the obvious question is, if no changes are necessary to the script from the connector, am I somehow using the wrong connector or not the latest version?

I downloaded AzureAD - Graph v5 from the OpenIAM site:

image
image738×437 25.4 KB

Are there maybe updated versions of the script that I am unaware of?

For fun,

here is the response in the log it is sending back to OpenIAM with my rewritten script:

{
“status”: “SUCCESS”,
“errorCode”: null,
“errorText”: “”,
“fieldMappings”: null,
“stacktraceText”: null,
“responseValue”: null,
“errorTokenList”: null,
“failure”: false,
“success”: true,
“identity”: “”,
“managedSystemId”: “AZURE_GRAPH_MS”,
“objectType”: “USER”,
“applicationId”: “REDACTED@REDACTED_IP”,
“userList”: [
{
“originalIdentityValue”: null,
“identityName”: “UserPrincipalName”,
“attributes”: [
{
“values”: [
{
“operation”: “NO_CHANGE”,
“value”: true
}
],
“name”: “AccountEnabled”,
“isPrimaryKey”: false
},
{
“values”: [
{
“operation”: “NO_CHANGE”,
“value”: {
“DisabledPlans”: ,
“SkuId”: “REDACTED-SKUID-1”
}
},
{
“operation”: “NO_CHANGE”,
“value”: {
“DisabledPlans”: ,
“SkuId”: “REDACTED-SKUID-2”
}
},
{
“operation”: “NO_CHANGE”,
“value”: {
“DisabledPlans”: [
“REDACTED-PLAN-ID-1”,
“REDACTED-PLAN-ID-2”,
“REDACTED-PLAN-ID-3”,
“REDACTED-PLAN-ID-4”,
“REDACTED-PLAN-ID-5”,
“REDACTED-PLAN-ID-6”,
“REDACTED-PLAN-ID-7”,
“REDACTED-PLAN-ID-8”,
“REDACTED-PLAN-ID-9”,
“REDACTED-PLAN-ID-10”,
“REDACTED-PLAN-ID-11”
],
“SkuId”: “REDACTED-SKUID-3”
}
}
],
“name”: “AssignedLicenses”,
“isPrimaryKey”: false
},
{
“values”: [
{
“operation”: “NO_CHANGE”,
“value”: “REDACTED_NAME”
}
],
“name”: “DisplayName”,
“isPrimaryKey”: false
},
{
“values”: [
{
“operation”: “NO_CHANGE”,
“value”: “REDACTED_FIRST_NAME”
}
],
“name”: “GivenName”,
“isPrimaryKey”: false
},
{
“values”: [
{
“operation”: “NO_CHANGE”,
“value”: “REDACTED_GUID”
}
],
“name”: “Id”,
“isPrimaryKey”: false
},
{
“values”: [
{
“operation”: “NO_CHANGE”,
“value”: “REDACTED_JOB_TITLE”
}
],
“name”: “JobTitle”,
“isPrimaryKey”: false
},
{
“values”: [
{
“operation”: “NO_CHANGE”,
“value”: “REDACTED_EMAIL”
}
],
“name”: “Mail”,
“isPrimaryKey”: false
},
{
“values”: [
{
“operation”: “NO_CHANGE”,
“value”: “REDACTED_NICKNAME”
}
],
“name”: “MailNickName”,
“isPrimaryKey”: false
},
{
“values”: ,
“name”: “MemberOf”,
“isPrimaryKey”: false
},
{
“values”: [
{
“operation”: “NO_CHANGE”,
“value”: “REDACTED_LAST_NAME”
}
],
“name”: “Surname”,
“isPrimaryKey”: false
},
{
“values”: ,
“name”: “UsageLocation”,
“isPrimaryKey”: false
},
{
“values”: [
{
“operation”: “NO_CHANGE”,
“value”: “REDACTED_UPN”
}
],
“name”: “UserPrincipalName”,
“isPrimaryKey”: false
}
],
“identityValue”: “REDACTED_UPN”
}
],
“groupList”: null,
“passwordExpirationDate”: null,
“daysToExpiration”: null,
“passwordChangeNeeded”: false,
“accountEnabled”: false,
“accountFound”: false,
“communicationException”: false,
“parentAuditLogId”: “REDACTED_LOG_ID”,
“provisionRequestId”: “MS_GRAPH_CONNECTOR”,
“requestCreatedForSyncId”: “SYNC_AZURE_GRAPH_USER”
}

image
image1298×559 104 KB

EDIT:

I was able to get this working now with my modified script by ADDING Object Primary Key for User in the connector configuration. I set it to MailNickName in the Managed System configuration and changed the Source Attribute Name in the Azure Auth Assignments synchronization config to MailNickName as well. I tried UserPrincipalName first (as that was the default in the Source Attribute field) but it created an orphan account in the system. Keep in mind, this is all with my modified connector.ps1 and azureoiam.ps1m scripts using MS Graph.

image

image

image

I should also mention I had to edit the AzureTransformation.groovy script as the default one was was generating an error. I couldn’t even save a copy of it to edit.

13

Hi @netrunner2077,
Could you please confirm the version of the Microsoft PS Graph connector you’re using?

You can check this by navigating to:
Control Panel > Programs > Programs and Features (also known as Add or Remove Programs).

I suspect you might be using a different version of the connector.
Could you please verify whether the connector named MicrosoftPsGraph is installed, and not AzureAD-Graph v5?

Thanks!

14

Hey @pradeep.bhalla,

I just checked and I am totally using the wrong connector. I did see a link to the correct connector in another post so I will install that and see if I can get it working. It’s odd that in the portal I wouldn’t have access to that connector (as shown in my screenshot above).

15

I just wanted to come back and say that I did get this working with the new connector. It didn’t require any modifications of the powershell. For anyone in the future looking for this, you can get the connector from: https://download.openiam.com/release/enterprise/4.2.1.13/connectors/connector_MicrosoftPsGraph_v5.exe

I used the Azure AD User Sync (Deprecated) sync config and added the identities script above as well as cobbled together a transformation script that kinda seems to work.

It would still be nice to have a video or some documentation about setting up the OpenIAM side a little better. I’m sure we’re not the only shop using Entra ID.