Scripts to sync the O365 Immutable IDs into Google account custom attributes which is needed for the O365 Single Sign In via Google accounts.
This project is two scripts, one PowerShell and one Python that get the "Immutable IDs" from O365 for users and add them to custom attributes in their Google profile. The PowerShell portion needs to run first, and uses the MSOnline module to retrieve all users principalName (in our case this is the email), and Immutable ID which is exported to a .csv file. Then the Python script looks through all users in the organization and stores their current Immutable ID custom attribute in a dictionary for quick access, instead of needing to do a profile lookup for each user individually which saves a lot of time. Then the .csv file is read and users are iterated through, comparing the Immutable ID returned by PowerShell to what is currently in their Google profile. If there is a mismatch, an update is called on the Google profile to update the custom attribute to the correct value.
The following Environment Variables must be set on the machine running the script:
- O365_USERNAME
- O365_PASSWORD
These are fairly self explanatory, and just relate to the username and password for an O365 account that has proper permissions to get the fields requested. If you wish to directly edit the script and include these credentials or to use other environment variable names, you can.
The following Python library must be installed on the host machine (links to the installation guide):
In addition, an OAuth credentials.json file must be in the same directory as the overall script. This is the credentials file you can download from the Google Cloud Developer Console under APIs & Services > Credentials > OAuth 2.0 Client IDs. Download the file and rename it to credentials.json. When the program runs for the first time, it will open a web browser and prompt you to sign into a Google account that has the permissions to disable, enable, deprovision, and move the devices. Based on this login it will generate a token.json file that is used for authorization. When the token expires it should auto-renew unless you end the authorization on the account or delete the credentials from the Google Cloud Developer Console. One credentials.json file can be shared across multiple similar scripts if desired. There are full tutorials on getting these credentials from scratch available online. But as a quickstart, you will need to create a new project in the Google Cloud Developer Console, and follow these instructions to get the OAuth credentials, and then enable APIs in the project (the Admin SDK API is used in this project).
The following PowerShell module must be installed on the host machine:
Finally, in Google Admin, you must create a custom attribute to store the Immutable ID. This can be done from Directory > Users > More Options > Manage Custom Attributes. You can create a new category or use an existing one if you have other custom attributes, and then the Immutable ID attribute needs to be a text field.
Take the names of the category and field name and set the CUSTOM_ATTRIBUTE_CATEGORY and CUSTOM_ATTRIBUTE_NAME constants in the Python script to match them.
If there are spaces, or you made an attribute, deleted it and then made a new one with the same name, the names can sometimes not match what they are actually called internally in Google. To see all the custom attributes for a user, you can use print( user.get('customSchemas', {})) inside a user query that includes projection = full and it will show all their custom attribute category and field names, which you can then use to plug into the constants.
The script is pretty simple and should not need much customization, besides making sure CUSTOM_ATTRIBUTE_CATEGORY and CUSTOM_ATTRIBUTE_NAME are correct.
- If you want to change the name of the .csv file that is used, you will have to edit
$OutputFileNamein the PowerShell script andINPUT_FILE_NAMEin the Python script.