While thinking about Azure MFA and it’s usage in MIM for password reset or as authorization step when requesting a PAM role, I thought to myself, why not use this as an workflow activity in an authorization workflow. For example when requesting a group membership. Sadly you can not configure the OOB MFA activities that comes with MIM.
So why not doing it on my own, using the Azure MFA SDK. And I find out it’s quite simple so far.
This demo approves a member join to a group by Azure MFA with a phone call, you have to anser the call with a # to get into the group. The MobilePhone attribute of your MIM Portal users have to be set to a valid number for this demo to work.
Continue reading “MIM2016: Using Azure MFA in an Authorization Workflow with PowerShell”
Yes, it’s me again and Yes with MIMWAL again 😉
When talking with people about Privileged Access Management (PAM) scenario of my, I often get asked if the dedicated PAM forest is required. The aswer is yes, this is by design and also a very important security feature of the solution as you can never be sure your current forest is not already compromised. Also you can have the PAM forest more secure and some other benefits.
However having time limited group can also be useful in a one forest/domain scenario. So I played around a bit in my demolab and tried to build a simply PAM like solution with help of the Microsoft Workflow Activity Library (MIM WAL).
Description and benefits of my demo scenario:
- Having time limited group membership
- Duration of group membership can be modified
- Can be initiated by users directly or by admins/helpdesk
- Users get notified when their group membership expires
Continue reading “MIMWAL: Time limited group membership (aka simple PAM solution)”
This is another post based on my current experiences with the Microsoft Workflow Activity Library aka MIM WAL.
Of course you can do ths with a own custom activity or PowerShell activity but both requires a lot of code to maintain. I saw this question on how to update set members based on group members a lot of times in the TechNet forum and as you now due to limitation of FIM / MIM you can not do that with OoB functions.
But with the MIMWAL there is now an fast and reliable solution for that, so you can for example grant permissions in Portal (indirectly) based on AD groups.
The scenario for this example is like following:
- I assume we have a set and a group with the same DisplayName. ( _ModifySetByGroup in this example)
- We want to completly have the group and set membership in sync
- I want to use only one workflow for multiple groups
Continue reading “MIMWAL: Update set membership based on group membership”
I recently started to have a look on the Microsoft Workflow Activity Library (WAL or MIM/FIM WAL) that was given to public some time ago.
In my current projects I used the PowerShell activity in a lot of time to do things that can’t be done with OOB functions that comes with FIM/MIM.
One of those things is doing a one-time member add to default groups for new users. I’ve done this with PowerShell but you have to make use of the FIMAutomation cmdlets that do updates through FIM/MIM WebService and as everyone knows this is not the fastest way. I could get some performance enhancements using the Lithnet PowerShell Module.
So I took a look on how to do that with MIMWAL and here are the results:
Continue reading “MIMWAL: Add new users to default groups”
I’m recently in a migration of an IDM solution from FIM 2010 R2 to MIM 2016.
Doing that I setup a new server with 2012 R2 (old server was 2008 R2), and also switched to newest Oracle Client 220.127.116.11.
I also copied over the tnsnames.ora and all seems working so far.
Then one of the Oracle DBs switched to Oracle 12 server by application owner.
So I modified tnsnames.ora to match the new server name.
I just want to check if all is working properly on the MA and entered the PW of the DB user again in MA properties.
But here the trouble starts and it took me around 2 hours to find out whats wrong.
Continue reading “MIM: Strange issue with Oracle DB when chaning connection parameter and create new MA”