Ramesh,
We have automated O365 management for "create/modify" use-cases. During scale testing, we found out that if we wish to manage 10K ids/hr, we needed to use scheduled jobs with Identity Management solution due to PowerShell memory usage on the remote MS Windows servers.
Below are some notes that may help. Ensure that the ID you are using is the SAME one in context executing the script from the IM solution. This may be a "gotcha". Add debug comments to your PowerShell script, to capture who the current user/service ID is.
####
0. The Exchange Management Tools is for the Exchange PowerShell Console also knows as Exchange Management Shell (EMS).
EMS needs to perform many Exchange task that is not available on the EAC (Exchange Administration Center).
The pre-req for EMS is MS IIS.
1. Deploy Exchange Management Tools PRE-REQ of IIS Tools on CCS Server.
- Open Powershell command line window as local OS administrator
Enable-WindowsOptionalFeature -Online -FeatureName "IIS-ManagementConsole", "IIS-LegacySnapIn", "IIS-IIS6ManagementCompatibility","IIS-Metabase" -All
2. Deploy Exchange Management Tools from ISO Exchange 2013. [May take 30-60 min]
D:\setup.exe /Role:ManagementTools /IAcceptExchangeServerLicenseTerms
3. Install Modules
Install-Module -Name ActiveDirectory
Import-Module -Name ActiveDirectory
Install-Module -Name AzureAD
Import-Module -Name AzureAD
Install-Module -Name MsOnline
Import-Module -Name MsOnline
4. View Modules imported.
Get-Module
5. Enable Exchange Modules: Requires Exchange Management Tools installed: Needed for Get-User & Enable-RemoteMailbox APIs
add-pssnapin *exchange* -erroraction SilentlyContinue
6. Test All Get commands:
# Test on-prem Exchange get-user command
get-user testuser | fl
# Test on-prem Active Director get-aduser command
get-ADUser testuser | fl
# Test cloud MS Online User (needs bind credentials & session first) Get-MsolUser
Import-Module MsOnline
$User = "alanbaugher@alanbaugher2.onmicrosoft.com"
$PWord = ConvertTo-SecureString -String "ABCDEEFGHI1234567890" -AsPlainText -Force
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
Connect-MsolService -Credential $UserCredential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $UserCredential -Authentication Basic -AllowRedirection -SessionOption (New-PSSessionOption -IdleTimeOut 60000)
Import-PSSession $session
Get-MsolUser
# Test cloud MS Azure User (needs bind credentials & session first/may use same credentials as above) Get-AzureADUser
Install-Module -Name AzureAD
Connect-AzureAD -Credential $UserCredential
Get-AzureADUser
Get-Mailbox
Remove-PSSession $Session
##### Create User Use-Case with O365 #####
7. Create New User in on-prem AD with Powershell.
New-ADUser -Name "Test User 001" -GivenName "Test001" -Surname "User001" -SamAccountName "testuser001" -UserPrincipalName "testuser001@exchange.lab" -Path "CN=Users,DC=exchange,DC=lab" -AccountPassword (ConvertTo-SecureString "Password01" -AsPlainText -force) -Enabled $true
8. Export current AD user LDIF from on-prem AD
ldifde -f step01b-create-user-ldif-export.ldif -d "OU=o365,DC=exchange,DC=lab" -s dc2016.exchange.lab -p subtree -r "(&(objectClass=User)(userPrincipalName=%1))"
9. Update local on-prem account to be ready for Remote Mailbox to O365.
# Ref: https://docs.microsoft.com/en-us/powershell/exchange/exchange-server/connect-to-exchange-servers-using-remote-powershell?view=exchange-ps
# Use the below session to allow AD to communicate to local Exchange server
$User2 = "administrator@exchange.lab"
$PWord2 = ConvertTo-SecureString -String "ABCdemo123" -AsPlainText -Force
$UserCredential2 = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User2, $PWord2
$Session2 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange2016.exchange.lab/PowerShell/ -Authentication Kerberos -Credential $UserCredential2
Enable-RemoteMailbox -Identity "TestUserO365@exchange.lab" -RemoteRoutingAddress "TestUserO365@alanbaugher2.onmicrosoft.com"
Remove-PSSession $Session2
10. Export updated AD user LDIF from on-prem AD
ldifde -f step01c-mod-create-user-ldif-export.ldif -d "OU=o365,DC=exchange,DC=lab" -s dc2016.exchange.lab -p subtree -r "(&(objectClass=User)(userPrincipalName=%1))"
### Wait for Dir Sync Operation ###
11. Assign O365 License.
Set-MsolUserLicense -UserPrincipalName "TestUserO365@alanbaugher2.onmicrosoft.com" -AddLicenses "alanbaugher2:DEVELOPERPACK"
##########################################################################
############## Example to add log functionality to your PS script to help debug any issues #####
##########################################################################
# Log facility
$logSetting = "DEBUG" # INFO, DEBUG
# O365 Settings
$O365_Domain = "alanbaugher2.onmicrosoft.com"
$EXC_Server_URL = "dc2.exchange.dom/PowerShell/"
$EXC_Service_ID = "o365serviceid@exchange.dom"
# On Prem AD Settings
$DOMAIN_CONTROLLER = "dc1.exchange.dom"
$progressPreference = 'silentlyContinue'
$global:ProgressPreference='SilentlyContinue'
function Log-It([string] $facility, [string] $taskid, [string] $category, [string] $message) {
# Write-Host "LogSettings: $logSetting, sent facilty: $facility"
$now = "{0:yyyy-MM-dd HH:mm:ss:fff}" -f (get-date)
Write-Host $now $facility $taskid $category $message
<#
if($logSetting -ieq "INFO"){
# Only log messages sent as [INFO]
if($facility -ieq "INFO"){
Write-Host "$now $facility [$category] $message"
}elseif( $logSetting -ieq "DEBUG"){
# Log all messages [INFO and DEBUG]
Write-Host "$now $facility [$category] $message"
}
}
#>
}
#Write-Host "###############################################################################################"
$st = (New-TimeSpan -Start (Get-Date "01/01/1970") -End (Get-Date)).TotalSeconds
Log-It("INFO ", "Time", '['+$taskid+']', "Start Date of O365 Powershell Script")
Log-It("INFO ", "Time", '['+$taskid+']', "SAM: $sam UPN: $upn ")
Good luck.
A.
------------------------------
Alan Baugher
ANA Technology Partner (anapartner.com)
------------------------------
Original Message:
Sent: 05-12-2021 06:45 AM
From: Ramesh Dara
Subject: O365 connectivity issue through powershell
Hi Team,
I am trying integrate O365 with CA Identity Manager 14.3, i am following the below link document to achieve the same.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-office-365/connect-to-office-365.html
I have done everything as in the above document said. Below is the error getting in powershell.
WARNING: Your connection has been redirected to the following URI:
"https://ps.outlook.com/PowerShell-LiveID?PSVersion=5.1.14409.1005 "
New-PSSession : [ps.outlook.com] Connecting to remote server ps.outlook.com failed with the following error message :
Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
PS C:\>
Note: We have internet on the Connector Server.
In IDM, Provisioning Manager when creating O365 Endpoint i am getting below error.
Failed to execute CreateOffice365Endpoint. ERROR MESSAGE: Endpoint 'O365' creation failed: Connector Server Add failed: code 80 (OTHER-NamingException):
failed to add entry eTDYNDirectoryName=O365,eTNamespaceName=Office 365,dc=im,dc=etasa: javax.naming.NamingException: Failed to activate the connector [O365]:
Failed to borrow connection object with connection key [idmadmin@rameshidmtest.onmicrosoft.com]:
Failed to borrow connection object with connection key [idmadmin@rameshidmtest.onmicrosoft.com]:
Failed to execute [Get-PSsession | Remove-PSsession] because process output stream has encountered an error... (ldaps://caidmcert.myad.com:20411),
Please help me in getting success to integrate O365 with CA Identity Manager 14.3.
regards
Ramesh