Problem:
Users could not be activated for O365
The logfile `/var/log/univention/listener.log shows this error messages:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/univention/listener/api_adapter.py", line 165, in _handler
self._module_handler.modify(dn, old, new, self._saved_old_dn if self._rename else None)
File "/usr/lib/univention-directory-listener/system/office365-user.py", line 76, in modify
self.connector.modify(new_udm_user=new_udm_user, old_udm_user=old_udm_user)
File "/usr/lib/python3/dist-packages/univention/office365/connector/connector.py", line 582, in modify
self.new_or_reactivate_user(new_udm_user, core)
File "/usr/lib/python3/dist-packages/univention/office365/connector/connector.py", line 482, in new_or_reactivate_user
user_azure.create_or_modify()
File "/usr/lib/python3/dist-packages/univention/office365/microsoft/objects/azureobjects.py", line 375, in create_or_modify
response = self._core.add_user(self.get_not_none_values_as_dict())
File "/usr/lib/python3/dist-packages/univention/office365/microsoft/core.py", line 607, in add_user
expected_status=[201]
File "/usr/lib/python3/dist-packages/univention/office365/microsoft/core.py", line 853, in _call_graph_api
raise typecast_error_into_child_class(error)
univention.office365.microsoft.exceptions.core_exceptions.MSGraphError: HTTP response status: 400
HTTP response expected status: [201]
> request url: https://graph.microsoft.com/v1.0/users
> request header: {
"User-Agent": "Univention Microsoft 365 Connector",
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"Connection": "keep-alive",
"Content-Type": "application/json",
"Authorization": "XXX",
"Content-Length": "418"
}
> request body: {
"displayName": "Christina Scheinig",
"mailNickname": "cscheini",
"accountEnabled": true,
"givenName": "Christina Scheinig",
"onPremisesImmutableId": "MTRlYzIxNDYtNDFkMC0xMDNmLTlhYWItZDliN2YxNTA5NGIz",
"otherMails": [
"cscheini@superpb.me"
],
[....]
},
"surname": "Scheinig",
"usageLocation": "DE",
"userPrincipalName": "cscheini@sun.superbp.me"
}
> response header: {
[....]
}
> response body: {
"error": {
"code": "Request_BadRequest",
"message": "The domain portion of the userPrincipalName property is invalid. You must use one of the verified domain names in your organization.",
"details": [
{
"code": "InvalidValue",
"message": "The domain portion of the userPrincipalName property is invalid. You must use one of the verified domain names in your organization.",
"target": "userPrincipalName"
}
],
[...]
}
}
}
Investigation:
This is a mean typo here. Difficult to find, but the error message helps to check
- the registered domains in azure (Name of the user-defined domains)
- the logfile
/var/log/univention/listener.logand/or/var/log/univention/listener_modules/office365-user.log
3/usr/share/univention-office365/scripts/manage_adconnections listto get the path to the connections →/etc/univention-offce365/>connection-alias>
Solution:
Check where the typo occured.
In this case we found the cause in
/etc/univention-office365/sun/ids.json
{"adconnection_alias": "sun", "client_id": "XXXXXXXX-xxxx-xxxx-XXXX-XxXxXxXxXxXx", "adconnection_id": "xxxxxxxx-XXXX-XXXX-xxxx-xXxxXxXxxXXx", "reply_url": "https://10.200.43.45/microsoft365-authorize", "domain": "sun.superbp.me"}
So changeing this with an editor to the right domain part, the users will now be synchronized. You may have to retrigger the user by changing the description.