Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] New Office 365 Consumer Log and Unified Groups

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] New Office 365 Consumer Log and Unified Groups

Chronological Thread 
  • From: "Black, Carey M." <>
  • To: Beth Halsema <>, Grouper Users <>
  • Subject: RE: [grouper-users] New Office 365 Consumer Log and Unified Groups
  • Date: Fri, 24 Jul 2020 20:30:41 +0000
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t4OJ1+jrxsiv1y3b1vVLOruyEn1oWxGXcIbEZTPA43Y=; b=byahoFokVLhCQo8pO+MYWds2H2ONMu58ADTmR7NM96Qd036a0WCGLhjy2ysXEDjXJv+5iiVPx7VvlLjZftZuR2DJDm6bWoLZYM8Orfr64PTbryaJdtHzr6dn3/voWambJIx6Y9bjMLRht7Dyb7BvNqKROyGwy0P9oHUrJijA82HkCaPNjaMYUaUNjV/Dc3bBl3sk7LYvFxYRLe0tDgVt7rVGVZWDmWaQnZ1IydU8OOMD+nITiE0P3tmg0FNZsRusqmQF/tJUH+dvTXE1/gKuxBBln4mqbTWSvDwbH3YCBALqFlEFdDQ/zujuMLwbMvsq4Da+3HBc2PVaNtGqv7o9jQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=Q1i/L+QfcpFi0WhaHPdtsKY5mCkLJNjcjR2S0agq2lqK4uKaSDFofVGHMITOxegt867awRHteLH47g/PMwZr/OAN57JU2tf4vWlL12UqwbzgUemgkEeKUomeaMFchonJX3miR2FcmHRkkXY8YczBKQWxNE9gqhfB9+H2OAT+wJ8U6onxKLX91CH82x8uANcrXxUoOePPufEtMII5zHGgxIQERBB2EzE9Uf9LvJxSPZC4aKCF2sTNBwJi0JEzUAqEIxmViYlxLjendhK5p1jgOUgZRJoY4pXDKvjB+H8LlelsSmsQiv4p4knXFJj8gt3prl6KFSm4EXCZLHFTI+3ArA==



Not much of an answer.. but I find it unfortunately "normal" to see stuff like this in "API"s....  ( Sloppy docs, and/or sloppy API's...)

                There are 3 separate forms of "HiddenMembership" in those M$ docs.


                "HiddenMembership" :

                "Hiddenmembership" :

                "hiddenMembership" :



The error you are reporting looks like a JSON parser error to my eye.

                But I don't know (100% certain) if that is before the client sent a string, or after the client got a message back from M$.


Based on a quick read of the Grouper code it looks like it only is using the "Hiddenmembership" form ( in edu.internet2.middleware.grouper.changeLog.consumer.o365.model.Group ).


So that string likely is coming back from o365 and not matching the "Hiddenmembership".

But my read of the official o365 docs seems to suggest that "Hiddenmembership" is the correct string. So maybe they are sending back an invalid value?



And to be fair and complete...


                                has: "public private, and hiddenmembership", "[Public* | Private | Hiddenmembership]" and "Private, Public, HiddenMembership,".



So yea... The defintion is "clear as mud" for the correct value for that string. 😊



Carey Matthew


-----Original Message-----
From: <> On Behalf Of Beth Halsema
Sent: Friday, July 24, 2020 3:47 PM
Subject: [grouper-users] New Office 365 Consumer Log and Unified Groups



Our team is attempting to use the new Office 365 consumer log to maintain

course groups in Office 365.


We had successfully done so using the security groups; however, we wanted

to use the "Hiddenmembership" Unified groups in order to comply with

FERPA regulations and support the collaboration team's need to create

Microsoft Teams from these groups.


We modified the values in the file:


changeLog.consumer.o365.class = edu.internet2.middleware.grouper.changeLog.consumer.Office365ChangeLogConsumer

# fire every 5 seconds

changeLog.consumer.o365.quartzCron = 0,5,10,15,20,25,30,35,40,45,50,55 * * * * ?

changeLog.consumer.o365.syncAttributeName = etc:attribute:office365:o365Sync

changeLog.consumer.o365.retryOnError = true

changeLog.consumer.o365.tenantId = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

changeLog.consumer.o365.clientId = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

changeLog.consumer.o365.clientSecret = :)

changeLog.consumer.o365.domain =

changeLog.consumer.o365.idAttribute = uid

#changeLog.consumer.o365.upnAttribute =

changeLog.consumer.o365.groupJexl ="^app:office365:groups:courses:service:policy:","GROUPER-courses-")

#changeLog.consumer.o365.mailNicknameJexl =

#changeLog.consumer.o365.descriptionJexl =

#changeLog.consumer.o365.subjectJexl =

#changeLog.consumer.o365.groupType = [Security* | Unified]

changeLog.consumer.o365.groupType = Unified

#changeLog.consumer.o365.visibility = [Public* | Private | Hiddenmembership]  * Only works with Unified groups

changeLog.consumer.o365.visibility = Hiddenmembership

#changeLog.consumer.o365.proxyType = [http | socks]

#changeLog.consumer.o365.proxyHost =

#changeLog.consumer.o365.proxyPort =


I modified the file




in our Docker containers in order to increase the logging.


       = DEBUG


The outcome was:


1. The groups are created in Office 365.  According to the Office 365

   admin portal, we created Microsoft 365 HiddenMembership groups.


   No owners and no members.


   In the logs/grouper_daemon.log file, the following error is logged:


Did not get all the way through the batch! 1848027 != 1848101java.lang.RuntimeException: Error in loader job: null, check logs: Error: o365 threw an exception processing change log entry sequence number 1848027., sequenceNumber: 1848027, com.squareup.moshi.JsonDataException: Expected one of [Public, Private, Hiddenmembership] but was HiddenMembership at path $.visibility

                at com.squareup.moshi.StandardJsonAdapters$EnumJsonAdapter.fromJson(

                at com.squareup.moshi.StandardJsonAdapters$EnumJsonAdapter.fromJson(

                at com.squareup.moshi.JsonAdapter$2.fromJson(

                at com.squareup.moshi.ClassJsonAdapter$

                at com.squareup.moshi.ClassJsonAdapter.fromJson(

                at com.squareup.moshi.JsonAdapter$2.fromJson(

                at retrofit2.converter.moshi.MoshiResponseBodyConverter.convert(

                at retrofit2.converter.moshi.MoshiResponseBodyConverter.convert(

                at retrofit2.OkHttpCall.parseResponse(

                at retrofit2.OkHttpCall.execute(

                at edu.internet2.middleware.grouper.changeLog.consumer.o365.GraphApiClient.invoke(

                at edu.internet2.middleware.grouper.changeLog.consumer.o365.GraphApiClient.addGroup(

                at edu.internet2.middleware.grouper.changeLog.consumer.Office365ChangeLogConsumer.addGroup(Office, threadId: 104, elapsed: 1285 ms



2. No members were ever added to the groups via changeLog.consumer.o365.

3. We were unable to delete the groups from Office 365 through their deletion

   in Grouper.


The groups are created but no subsequent operations on them seem to be



Is there something that we have overlooked?  Or is the development of support

for unified groups still a work-in-progress?


Thank you!




Beth A. Halsema - M.S. in Computer Science, GSEC

Sr. Sofware Engineer, Identity & Access Management

OVPIT - IT Security and Policy;!!KGKeukY!kIgRCaDOkKFEUnBHzPZEJu8pk_3ipJwriqvV0H15-kRKFWkrNDld2bNcdf2dMLDVM3E$

Archive powered by MHonArc 2.6.19.

Top of Page