MIM Portal: regular user access and unable to process your request

Getting the error „Unable to process your request“, is a common issue a lot of people are facing when accessing the FIM/MIM portal a regular user.

There are a lot of forums discussions and blog posts around that issue and how to solve it.

However, I think I found another reason why that issue can occur even if that will not be a common scenario for most people but still worth to write about it in my opinion.

Read more of this post

Advertisements

New Azure Group Based Licensing (V2) available as public preview

Just saw it in my demo tenant today that the new Azure Group Based Licensing (V2) is now available within the new Azure portal http://portal.azure.com under the Active Directory Node.

Until today, since all of you know, you could only assign EMS licenses by groups created in Azure or synchronized from an On-Premises directory. In addition, you could only assign the whole license/suite in one piece without the ability to disable sub plans, like RMS for example.

With the new group based licensing, you now can also assign other services license like Office 365 for example and are also be able to disable specific sub plans.

Here is how it looks like:

Navigate to the new portal (the artist formerly known as “the island”): http://portal.azure.com

Go to the Azure Active Directory Management (Preview):

01

You will see an overview of all your licenses and current assigned users and groups via the “All products” option:

02

03

Let us assign the Office 365 license by a group and disable some of the features:

Click “Licensed Group” and then “+ Assign”

04

Select a group created in Azure or synchronized from your On-Premises directory.

Click “assignment option (optional)”

05

Done, license assignment changes will now be scheduled and you can check the state of pending or active (should be active within one minute.)

06

You can have multiple groups with different sub plans disabled to reflect the licenses needed for different user type (Power Users, Limited Users or Guests)

There is also an audit log for all license assignment but with by early tests there is nothing logged, I assume because the necessary categories are missing until rollout of preview is complete.

 

MIM: Strange issue with Oracle DB when chaning connection parameter and create new MA

I’m recently in a migration of an IDM solution from FIM 2010 R2 to MIM 2016.

Doing that I setup a new server with 2012 R2 (old server was 2008 R2), and also switched to newest Oracle Client 12.1.0.2.
I also copied over the tnsnames.ora and all seems working so far.

Then one of the Oracle DBs switched to Oracle 12 server by application owner.
So I modified tnsnames.ora to match the new server name.

I just want to check if all is working properly on the MA and entered the PW of the DB user again in MA properties.

But here the trouble starts and it took me around 2 hours to find out whats wrong.
Read more of this post

FIM 2010 R2: sync-rule-invalid-xml-attribute-flow and unable to update FIM Service ma/mv data

I spend several hours on a dev stage FIM 2010 R2 Server at a customer which was throwing the following error on synchronizations mainly of the FIM MA:

<sync-rule-invalid-xml-attribute-flow>

SyncError1

Read more of this post

AADConnect 1.1 SyncScheduler Issue: DateTime Error and Scheduler not working

I recently installed Azure AD Connect 1.1 (Build 1.1.105.0) in my demolab.
I installed on a fresh Windows Server 2012 R2 with latest hotfixes and done the following:

  • Install AADC in Custom Setting Mode
  • Done all settings (which are not relevant to that issue)
  • Disabled direct start of Scheduler to modify sync rules
  • Re-Run AADC Wizard and activated the now internal Scheduler

But when checking SyncCycle within the Sync Service Manager I cloud not see any syncs.

Read more of this post

Privileged Access Management: List all active pam requests

I’ve recently worked in my demo lab with Microsoft Identity Manager 2016 (MIM) feature called Privileged Access Management (PAM) to prepare for workshops and a first implementation at a customer.

One thing that came to my mind was, how I can enable PAM Admins to see a list of all currently active PAM requests on the system.

Option 1 is to use PowerShell from the MIMPAM Module to get an overview:

Get-PAMUser | Get-PAMRequest –Active

Quite simple, right?

But I want some graphical version and since the good “old” MIM portal is also present in that scenario I tried to figure out on how to search only “Active” roles/requests.

Read more of this post

Note2Self: Directory Integration Tools Overview

If you’re asking yourself the question which of the current directory tools to chose, here is some help:

I found this nice overview in the Azure MSDN library documentation:

https://msdn.microsoft.com/en-us/library/azure/dn757582.aspx

On that documentation still FIM 2010 R2 with WAAD Connector is listed as an option, but you should not use that for any new deployments anymore, beside you have very special requirements (like multitenant) and only using that scenario as in interim solution until AADConnect will support that in future.

 

%d bloggers like this: