Those of us who looked at the Office 365 driver when it first came out were quite shocked by the over-use of direct XML manipulation and XPATH instead of using built-in tokens.
I had assumed that it had got a bit better in the interim, but I see there is still quite a lot of questionable bits in the driver.

One thing that was glaringly obvious was the author of the driver policies seemed be blissfully unaware of the Reformat Operational Attribute token.

Now I tried to do a "migrate from app" in office 365 (almost entirely the standard policies, the main modification is that I veto creation in *both directions*).
We have hybrid users in both O365 and IDM and we want to match them only (at this point).

When I did the migrate from app, I noticed that the NOVLOFFIDCFG-pub-etp rule which re-formats CN to be only the local name portion of the UPN gets blissfully skipped.
First, the instance from the query is converted to a sync prior to pub-etp:


<nds dtdversion="3.5">
<source>
<product build="201511241011" instance="\IDVP-TREE\Energycorp\Services\IDM\DriverSet\MSOffice365-ACME-PREPROD" version="4.1.0.1">Identity Manager Driver for Microsoft Office365</product>
<contact>NetIQ, Corporation.</contact>
</source>
<output>
<instance class-name="MSolUser" event-id="0" src-dn="u12345@acme.com">
<association>3d6db3dc-732a-44b9-a269-1506fe7c5d86</association>
</instance>
<status event-id="0" level="success"/>
</output>
</nds>


Then the sync triggers a merge

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.7">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<sync class-name="User" event-id="migrate-app-sync-1" src-dn="u12345@acme.com">
<association>3d6db3dc-732a-44b9-a269-1506fe7c5d86</association>
</sync>
</input>
</nds>

The engine queries O365 for amongst other things, the UPN/CN. However the response of that (an instance), never goes through the etp (as we are in a merge).
Even if it did, the etp rule can't handle instances because it doesn't use the Reformat Operational Attribute. (double fail)

[01/18/16 07:46:01.287]:MSOffice365-STATKRAFT-PREPROD ST:Applying schema mapping policies to input.
[01/18/16 07:46:01.287]:MSOffice365-STATKRAFT-PREPROD ST:Applying policy: %+C%14CNOVLOFFIDCFG-smp%-C.
[01/18/16 07:46:01.287]:MSOffice365-STATKRAFT-PREPROD ST: Mapping class-name 'MSolUser' to 'User'.
[01/18/16 07:46:01.287]:MSOffice365-STATKRAFT-PREPROD ST: Mapping attr-name 'UserPrincipalName' to 'CN'.
[01/18/16 07:46:01.287]:MSOffice365-STATKRAFT-PREPROD ST:Resolving association references.
[01/18/16 07:46:01.287]:MSOffice365-STATKRAFT-PREPROD ST:Read result:
[01/18/16 07:46:01.287]:MSOffice365-STATKRAFT-PREPROD ST:
<nds dtdversion="3.5">
<source>
<product build="201511241011" instance="\IDVP-TREE\Energycorp\Services\IDM\DriverSet\\MSOffice36 5-ACME-PREPROD" version="4.1.0.1">Identity Manager Driver for Microsoft Office365</product>
<contact>NetIQ, Corporation.</contact>
</source>
<output>
<instance class-name="User" event-id="0" src-dn="u12345@acme.com">
<association>3d6db3dc-732a-44b9-a269-1506fe7c5d86</association>
<attr attr-name="CN">
<value type="string">u12345@acme.com</value>
</attr>
<attr attr-name="LitigationHoldEnabled">
<value type="string">True</value>
</attr>
</instance>
<status event-id="0" level="success"/>
</output>
</nds>


At this point the event is a synthetic add.

[01/18/16 07:46:01.287]:MSOffice365-STATKRAFT-PREPROD ST:Synthetic add:
[01/18/16 07:46:01.287]:MSOffice365-STATKRAFT-PREPROD ST:
<nds dtdversion="3.5">
<source>
<product build="201511241011" instance="\IDVP-TREE\Energycorp\Services\IDM\DriverSet\\MSOffice36 5-ACME-PREPROD" version="4.1.0.1">Identity Manager Driver for Microsoft Office365</product>
<contact>NetIQ, Corporation.</contact>
</source>
<output>
<add class-name="User" event-id="migrate-app-sync-1" src-dn="u12345@acme.com">
<association>3d6db3dc-732a-44b9-a269-1506fe7c5d86</association>
<add-attr attr-name="CN">
<value type="string">u12345@acme.com</value>
</add-attr>
</add>
<status event-id="0" level="success"/>
</output>
</nds>

As the CN is not transformed and still looks like a UPN, the default matching by CN fails to match.

To my mind this is a bug. Can anyone suggest a reason why the reformat of CN should not be moved to ITP (and rewritten to cope with instance)?