none
Grandfelt Powershell Management Agent...synch rules..joins? RRS feed

  • Question

  • Sorry for the newbie question.

    I am following Kent's posting for managing O365 using the Powershell MA https://konab.com/managing-office-365-licenses-using-fim-2010/

    However, I am guessing I am missing something either in my synchronization rule or my understating of the PSMA.

    Eventhough, I have setup a relationship of email to UPN on my Outbound Synch Rule I am unable to get any joining.  It seems that joins do now work, unless I create a explicit join within the PSMA itself.

    Do I need both the Sync rule and the join in the MA?  Or I am just not understanding correctly?  Any help would be appreciated.

    Monday, September 22, 2014 12:53 PM

All replies

  • Join rule and principles are not MA specific.

    Join in your Sync Rules should be enough. Does the metverse objects contain the values that you expect to join on? I.e. have you imported UPN (userPrincipalName) from your AD MA to the metaverse?


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt


    Monday, September 22, 2014 3:08 PM
  • I am bringing in the userPrincipalName from AD.  However, for O365 we are using DirSync to push email to the UPN inside 365.  Therefor our AD userPrincipalName is not the same in AD and O365.

     When I do the import using Kent's scripts, I use the same schema and UPN as the anchor.  I was understanding that I could use the relationship criteria below and it would join?

    Thanks for helping the novice.

    Monday, September 22, 2014 3:21 PM
  • I cant remember Kent's scripts but they are based on my samples, I think. Basically for direct joins as you're trying to do here, you need to bring in a value in the connector (PSMA) that you can match exactly to a value on an object in the metaverse - otherwise you wont get a join, no matter if you're are using sync rules or MA joins.

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    Monday, September 22, 2014 3:26 PM
  • Yes. As in the last reply.  I have email being set.  Therefore email should match the UPN that is being imported from O365 using the import in the PSMA. No?  The Expected Rule List is showing the Outbound Users to O365 as Add and Status Not Applied.

    I am sure I am missing something obvious.

    Thanks,

    Monday, September 22, 2014 5:52 PM
  • Could you provide a screenshot of the Metaverse object and the connector space object's attributes - of two objects that you expect to join up?

    Just to be 100% sure - you have run a profile with a sync step on the O365 MA, right?

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    Monday, September 22, 2014 5:59 PM
  • Pics removed
    Monday, September 22, 2014 6:36 PM
  • Okay, looks too be in order. Again, just to be 100% sure - you have run a profile with a sync step on the O365 MA, right?

    Also, whats the scope of the sync rule? Is it applied to relevant objects? And if sync rule prov enabled? Maybe you could try a direct join-rule on the O365MA to see if it is your SR that is misconfigured.

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    Monday, September 22, 2014 6:40 PM
  • Scope is person..O365MA..user..not using any scoping filters.  Yes Sync rule provisioning enabled.  Direct join in the O365MA works.  As soon as I added a direct join-rule on the O365MA, I got the Add, Applied.  That seems to work.  But without the direct join-rule things do not seem to be working.  This is why I was a bit confused.

    Monday, September 22, 2014 6:50 PM
  • Hmmm, and the sync rule has been imported from the FIM Service/Portal to the metaverse and applied to all persons? Or is it a scoped SR?

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    Monday, September 22, 2014 6:55 PM
  • Monday, September 22, 2014 8:09 PM
  • Well, I'm sorry - from what you've sent me, I can't seem to find the issue. I don't use SR's that much anymore; I prefer classic so I might be missing something here :-)

    Seems your data is okay, since direct-joins is working, so it must be some config error or similar in your SR's (scoped to the right object type?)

    Sorry, I cant be of more help. This is not a PSMA problem, but a SR problem...


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt


    Monday, September 22, 2014 8:12 PM
  • I am glad I am not the only one that can't find the issue.  I want to hand out a big Thank You for all your help and what you have contributed to all the FIM Users world wide.

    Thanks again.

    Monday, September 22, 2014 8:16 PM
  • You should examine your SR's throughly. Hopefully there is someone using SR's more than me that might see something obvius that I'm overlooking.

    You should be able to use SR's

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    Monday, September 22, 2014 9:48 PM