In a hybrid infrastructure there are two common scenarios to synchronize on-premise Active Directory objects to Azure Active Directory:

  • Scenario 1: Azure Active Directory connector, more details about this connector can be found in this MSDN article.
  • Scenario 2: Configure Azure AD DirSync tool to periodically synchronize AD objects to the Azure AD.

Consider Scenario 2, DirSync tool is configured to synchronize objects and password hashes between the two Active Directories and assume there is a configured scheduled task on a remote machine that runs the DirSync tool every X hours.

Business Scenario

In some business scenario, you may need to run the DirSync tool.

In this case we wanted to run the DirSync tool when a user who has Exchange Online mailbox, uses the FIM Self-Service Password Reset Portal to reset its password.

Approach

This approach to implement this requirement was by developing a Custom Workflow Activity in FIM Portal and attach it to the “Password Reset Action Workflow”.

Implementation

1. Create a Custom Workflow Activity.

We are going to assume that you have the prior knowledge of developing and deploying custom workflow activities to FIM Portal, in case not, please refer to this MSDN article.

In the Custom WF Activity, create the following setting parts:

  • Office365 Admin Username
  • Office365 Admin Password (Secured Textbox)
  • Domain Name
  • Sync Machine Name (FQDN): The FQDN of the remote machine that has DirSync tool installed and the scheduled task configured.
  • Scheduled Task Name.

The Custom WF Activity UI should look like this:

Capture

2. Code

 Code behind: mainly use four activities as following:

Capture1

  1. ReadCurrentRequestActivity: This activity reads the current request parameters. Note that the target resource is the user who reset its password.
  2. InitializeReadTargetResource: This code activity gets the Target User GUID and initializes the next read resource activity. We want to read the Target User Email attribute.Capture2
  3. ReadTargetResourceActivity: This activity reads the user resource with its attributes “Email”.
  4. TriggerSyncCodeActivity: In this code activity, run an Office365 Powershell command to check whether the target user has Exchange Online mailbox or not. In case it has so trigger the DirSync scheduled task on the remote machine.

Capture3

Capture2.PNG

This is the method to trigger the scheduled task on a remote machine.

Note that the Task Scheduler Managed Wrapper Nuget package is used to run the task. Retrieve the task, make sure it’s not running and then run it.

Capture

3. Build the solution and use the GacUtil to publish it.

Since we use an external Nuget package, we need to copy the Task Scheduler Managed Wrapper Dll “Microsoft.Win32.TaskScheduler.dll” to “C:\Program Files\Microsoft Forefront Identity Manager\2010\Service” directory. A restart is required for both the FIMService and IIS.

4. Portal configuration

Open FIM Portal as FIM Administrator, navigate to Workflows then open “Password Reset Action Workflow”.

Add the new Custom WF Activity after “ActiveDirectory Password Reset Activity”and you are ready to go.

Capture2

Capture

Note: All code files can be found in this GitHub project here.