Discussion:
Azure AD CRUD operations via TDI
(too old to reply)
Jared Roberts
2021-03-22 06:00:57 UTC
Permalink
Hey gang. Has anyone attempted to create, read, update, delete users and/or groups from Azure AD via REST ?
I am specifically interested in synching Domino groups to Azure AD via TDI/SDI.
I think (in theory) it could be done via REST api.

https://docs.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http

but alas I am not a developer so I am stuck for validating my theory. cheers. Jared
Eddie Hartman
2021-03-22 17:18:08 UTC
Permalink
Post by Jared Roberts
Hey gang. Has anyone attempted to create, read, update, delete users and/or groups from Azure AD via REST ?
I am specifically interested in synching Domino groups to Azure AD via TDI/SDI.
I think (in theory) it could be done via REST api.
https://docs.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http
but alas I am not a developer so I am stuck for validating my theory. cheers. Jared
Hi Jared,

If there is a REST API available to do this, then yes it is possible. If you'd like to experiment with this together, please let me know and we can do a screen share. You can reach me at eddie (at) agilitar.com

/Eddie
Jared Roberts
2021-03-23 03:03:33 UTC
Permalink
That sounds great mate thank you.... I'll hit you up via the website!
Franzw
2021-03-23 06:46:56 UTC
Permalink
Post by Jared Roberts
That sounds great mate thank you.... I'll hit you up via the website!
Just a warning of the general concept of syncing groups - this always sounds easy - but membership is not standardized across registries/ldap server as this is not covered by the standards. So there may be some few borderline cases that requires some extra complex work to function...

But if you get help from Eddie you should be safe - he is the best :-)

Regards
Franz Wolfhagen
Jared Roberts
2021-03-23 23:28:34 UTC
Permalink
Excellent advice - thank you.
I do have a pretty complex AL that synchronises Domino groups to AD at the moment.
TDI handles a lot of the business rules, translation, validation etc.
it works great for AD.

Looking to send the same “package” of group creation/membership/owners etc to Azure.

For many reasons the customer is not synching the AD groups on premise to Azure AD - so I gotta try and do it this way.

Basically ingest the Domino groups... apply all of our logic and translation and feed the result to AD and Azure AD :-)
Jared Roberts
2021-04-29 02:19:40 UTC
Permalink
I've got further with this with my customer...

They figured out how to use the REST API for M365 groups, they used PostMan to test CRUD operations...
https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0

We then translated this into SDI using HTTP Connectors.
First Connector does auth (that was the most difficult part to work out) then we construct a json package to be sent to M365 with a HTTP POST.

At the moment I have to re-work some logic to deal with nested groups in Domino as they aint supported in M365 (for non-security groups), these nested groups from Domino are being synched to AD on-prem just fine.
I'm doing this by using an LDAP Group Members connector, then using an Attribute Loop to retrieve the UUID of members from M365 using email address.

....more to come!... be happy to share my solution once I've figured it out.
Franzw
2021-04-29 13:31:36 UTC
Permalink
Post by Jared Roberts
I've got further with this with my customer...
They figured out how to use the REST API for M365 groups, they used PostMan to test CRUD operations...
https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0
We then translated this into SDI using HTTP Connectors.
First Connector does auth (that was the most difficult part to work out) then we construct a json package to be sent to M365 with a HTTP POST.
At the moment I have to re-work some logic to deal with nested groups in Domino as they aint supported in M365 (for non-security groups), these nested groups from Domino are being synched to AD on-prem just fine.
I'm doing this by using an LDAP Group Members connector, then using an Attribute Loop to retrieve the UUID of members from M365 using email address.
....more to come!... be happy to share my solution once I've figured it out.
Looking forward to see you configuration ! :-)

Regards
Franz Wolfhagen
Eddie Hartman
2021-04-30 15:03:40 UTC
Permalink
Let me know if you want to have a conversation about this. I can show you how to move the collection of HTTP Client connectors into a single scripted Connector - to make your ALs simpler :9

/e
Post by Jared Roberts
I've got further with this with my customer...
They figured out how to use the REST API for M365 groups, they used PostMan to test CRUD operations...
https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0
We then translated this into SDI using HTTP Connectors.
First Connector does auth (that was the most difficult part to work out) then we construct a json package to be sent to M365 with a HTTP POST.
At the moment I have to re-work some logic to deal with nested groups in Domino as they aint supported in M365 (for non-security groups), these nested groups from Domino are being synched to AD on-prem just fine.
I'm doing this by using an LDAP Group Members connector, then using an Attribute Loop to retrieve the UUID of members from M365 using email address.
....more to come!... be happy to share my solution once I've figured it out.
Loading...