This story is about converting and onboarding manual entry (partly scripted) process for service accounts with mailboxes/O365 license.
How to deal with hybrid setup with AD, EntraID and Exchange?
AD and EntraID is fairly solved automatically with AD Connect/Sync for attributes to move both ways (mostly AD to EntraID). The Exchange/O365 is a bit extra for me that I have not been deeply involved yet. Although I have previously dealt with crazy bug (memory buffer with Write-Output) from Python calling powershell scripts via WinRM. So yes I knew that there are powershell commands involved for creating and setting up the Exchange mailboxes.
How did I approach the task?
My brain functions in a way that I need to understand the topic and have certain questions answered to feel comfortable and find the best future solution. This task sounded fairly straightforward. Convert the current manual approach to more automated one into IdentityIQ, so I started with the current process.
First I went into deeper analysis and further to understand:
- What is the current setup
- What is missing from current setup/are there issues?
I had several meeting with different people involved in some way to find out about the tools and current steps. In addition, I’ve got access to the tools repo and confirmed functionality. It took a while, but I was able to map it to several steps.
The tools included these areas (not ordered)
- Create AD user
- Create AD groups
- Assign user to a group
- Powershell commands for on-prem Exchange (Exchange)
- Powershell commands for Exchange Online (EXO)
- Assign distrubution group and owner
- Onboarding to IdentityIQ and assigning owner
Some new questions came to the surface, like are these steps still up to date? Or what are the real end-user usecases? The first question seemed ok to be unswered on my own, but the second one was not fully clear. There were also minor issues. Also additional finding that many service accounts did not have an owner/responsible person in order to charge department costs.
What is the correct order for hybrid setup?
- Create AD account
- With email attribute, UPN and so on
- Powershell command Enable-RemoteMailbox
- Wait for AD account to be created, low if same DC used
- Adds proxy addresses, targetAddress and other Exchange attributes
- AD Sync to EntraID
- Creates a user in EntraID
- Creates a user, not mailbox, in EXO (if correct attributes)
- Assign E5 License
- Creates EXO mailbox
- Powershell command Add-MailboxPermission
- Assign Full/Read permissions
- Wait for EXO Mailbox to be created
- Add-RecipientPermission (send as)
- Assign Full/Read permissions
- Wait for EXO Mailbox to be created
After finding out, the correct steps, I had to think how would that work in IdentityIQ. There were a few challenges to clarify and design the solution properly with some additional side-effects. In the reality there were more changes, e.g. mailbox without O365 license, some users limited to onprem Exchange only, and also posibility to change the mailbox type/license.
- Refine and define requirements
- Distribution group setup
- Run the commands in order with wait times
- Inform the requestor when last step succeeds
- Who will support the issues/errors
- Dependency on external scripts
- Cooperation with AD scripts
- Future – onboarding more powershell scripts?
There were many things to consider and I made estimations to move forward.