Authorize MIM Portal user image upload with Microsoft Cognitive Services

I saw these great videos from //build keynote some weeks ago about the Microsoft Cognitive Services and I was really impressed. I know these APIs like face, emotion, speech are designed for other purposes but I was thinking to myself on who to benefit from them for identity management.

So I remembered some time ago when talking about MIM Portal as a user self-service portal for personal data some customers find it is sometimes not a good idea if users can upload their own photos. The arguments where that photos cannot be validated in that way that it really belongs to that person. So people could upload for example funny pictures and avatars or even more bad images.

Sure, you can handle this by organizational policies, but I was thinking of a technical solution. At this point when thinking about Microsoft Cognitive Services the Face API came to my mind.

If you check the Face API it has methods for face detection in images and also face identification or verifying. You can also create person groups and persons with multiple faces saved in Azure if you want.

But for my little demo I only need the face detect and verify methods.

So here is how this demo works:

If people upload new images to MIM Portal, I trigger an authorization workflow and get the current and new photo with an MIMWAL update resource activity and pass that data to a PowerShell script which then calls the Face API.

The PowerShell Script uploads both images to Azure to do a face detection within the image and then returns a faceId for each of the pictures. Images are saved 24 hours Azure.
Read more of this post

Advertisements

MIM2016: Using Azure MFA Mobile App Auth in authorization workflows

This is a follow-up post to my article regarding Azure MFA used in an authorization workflow for MIM 2016. You can get some details on the scenario from that post.

As a limitation the Azure MFA SDK can only be used for Phone or SMS (one-way, two-way) authentication but not with the mobile app method. That’s because of mobile app uses a Web Service to get messages pushed and this one needs to be implemented with MFA-Server.

But I find it a neat solution to have an authorization task for an approval of group membership with using the mobile app. There are a couple of things needed to get this working:

  • Azure MFA Server
  • Installation of Web Service SDK
  • Installation of Web Service for Mobile App
  • Public Trusted Certificate (or Self Signed for demo lab like I did)
  • Optionally: Azure MFA User Portal (For user registering mobile app with QR-Code)

I do not explain how to install these components because there is a lot of very good documentation out there. I used the following one which worked like charm:

https://4sysops.com/archives/azure-multi-factor-authentication-part-4-portals/

Read more of this post

%d bloggers like this: