Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

AD Group membership for Exchange mailbox

fouriefb
Regular Contributor
Regular Contributor

Hi All,

So we understand from Saviynt that the way to how enable and disable via PS script works is that the mailbox will be created for an AD user as they request a certain group membership.

Having been an exchange admin for some years I have never came across a group like this.

Does anyone have any information on this or have exchange mailbox enablement working in their environments that can shed some light on this "group"

Looking forward to your responses

6 REPLIES 6

timchengappa
Saviynt Employee
Saviynt Employee

Hello @fouriefb 

When you create an account in AD, the user is automatically created in the Microsoft Exchange Server.
Having said that, there is no specific group that needs to be added to AD to enable the mailbox.

When a Saviynt task is created to enable a mailbox, the task will invoke a PowerShell shell script via Win-PS Connector which enables the mailbox.

Please refer to our Microsoft Exchange Connector Guide for additional details on integrating with MS Exchange.

Hello @timchengappa 

Thanks for your reply. As Exchange is integrated with AD you are correct that all users exist in Exchange. The thing is with various meetings with Saviynt, it was explained that this trigger is if you belong to a certain group this will run the script.

Question now is if you request nothing from Saviynt, what will trigger the PS script to run? Saviynt documentation leaves a lot to be desired and is incomplete in even setting up the Saviynt APP. Win-PS could not work in our test environment and Saviynt said it should be a REST connector.

For something so simple it seems like a very complex setup which it may very well be if documentation was more complete in expalining this exactly. We are now at month 4 still not able to enable or disable mailboxes to onprem exchange

 

fouriefb
Regular Contributor
Regular Contributor

Is there anyone that has Exchange mailbox enabling working in their environment that can maybe shed some light on this article?

Thanks in advance

timchengappa
Saviynt Employee
Saviynt Employee

Hello @fouriefb 

We have several customers who have implemented the "enable mailbox" functionality via the WinPS connector(PS Script). Hopefully, my response below will help provide some additional clarity...

The simplest way to trigger your "enable mail" box is by creating/integrating a separate security system, endpoint, and connection for MS Exchange. In the create as well as update account JSON section of the connector, you can either pass the PS script itself or call the PS script hosted on the windows box(Win Connector). Once this is established, the end user can submit a request in Saviynt to create an account in MS Exchange. Once the request has been approved and a 'New-Account' type task has been created and when the provisioning job picks this task up, it will invoke the PS script.

Alternatively, you can also explore UserUpdate/Technical Rules to trigger the "New Account" type tasks for the exchange security system which in turn will invoke the PS scripts.

Also, thanks for the feedback on the documentation. I will have the respective review it and add some more details about your use-case

Thank you for your reply @timchengappa 

Does it mean that I can get away without using the WinApp (IIS) If you say I can pass the powershell script in createaccountJSON, do I then create connection directly with Exhange server?

Thanks in advance

PS Scrips are executed from the Windows box(WinApp{IIS}). This is required* for any MS exchange integration with Saviynt. You will not be able to connect directly with Exchange server as there would be no means to execute the PS scripts.

Option 1: The PS script resides on the Windows box(WinApp{IIS}) server.
The location where the PS script resides on the Windows box(WinApp{IIS}) is mentioned in the create account JSON of the REST/WinPS connector(This is recommended) which connects to the Windows box(WinApp{IIS}) which in turn executes the PS script.

Option 2: The PS script is constructed/embedded into the REST/WinPS connector.
Instead of mentioning the location where the PS script resides on the Windows box(WinApp{IIS}) in the create account JSON of the REST/WinPS connector, the entire PS script itself is embedded into the REST/WinPS connector which connects to theWindows box(WinApp{IIS}) server which in turn calls the PS script.

Doc Reference: https://docs.saviyntcloud.com/bundle/WinPS-v2020x/page/Content/Understanding_the_Integration-between...