Create PAM (Privileged Access Management) Mobile Apps with PowerApps

Maybe you already read my last blog post about using PowerApps for Microsoft Identity Manager where you find a definitions file for the Lithnet RestAPI for MIM to create a custom API for PowerApps. If not, please do so for some basic information’s.

I also will present the MIM and PAM PowerApps solution with some detailed information on the next MIM Team User Group meeting on June 15.

This time I give to all of you the swagger JSON definition file for the Privileged Access Management (PAM) RestAPI around with a demo PowerApp.

The swagger JSON and YAML files contains all the API calls that PAM provides, so you can do the following:

  • Get a list of all PAM roles you are a candidate for
  • Get the PAM role request history
  • Request a PAM role and also Cancel your request before TTL exceeds
  • Get a list of all PAM role requests you should approve
  • Approve of Reject a PAM role request

Since PowerApps is still a preview feature you might have some issues like I have, but I was able to test all scenarios mentioned above.
Read more of this post

Creating Mobile Apps for MIM with PowerApps and Lithnet RestAPI

I recently take a look into the Preview of Microsoft PowerApps and also Microsoft Flow. There are some really cool examples and templates for PowerApps and I also like that it is possible to create custom API connection for nearly every RestAPI.

When thinking on MIM we have that great Lithnet RestAPI from Ryan Newington and so a new project was born in my spare private time. Here are the results.

In order to create a connector in PowerApps for custom APIs we need a Swagger JSON definition file which describes the API (calls, parameters and so on). You can easily create such a definition file with the Swagger Editor in YAML. (Don’t worry, I’ve done this for you).

If you want to take a better look to the API definition file, go to http://editor.swagger.io and paste the YAML or JSON file of the Lithnet RestAPI into the editor. You will find both files at the end of the post.

These are the steps to setup the environment and create a simple PowerApp:

Install Lithnet Rest API:

First we assume you have a running MIM 2016 or FIM 2012 R2 installation. In that solution install the Lithnet FIM/MIM RestAPI according to the documentation: http://lithnetrmws.codeplex.com

Read more of this post

Authorize MIM Portal user image upload with Microsoft Cognitive Services

I saw these great videos from //build keynote some weeks ago about the Microsoft Cognitive Services and I was really impressed. I know these APIs like face, emotion, speech are designed for other purposes but I was thinking to myself on who to benefit from them for identity management.

So I remembered some time ago when talking about MIM Portal as a user self-service portal for personal data some customers find it is sometimes not a good idea if users can upload their own photos. The arguments where that photos cannot be validated in that way that it really belongs to that person. So people could upload for example funny pictures and avatars or even more bad images.

Sure, you can handle this by organizational policies, but I was thinking of a technical solution. At this point when thinking about Microsoft Cognitive Services the Face API came to my mind.

If you check the Face API it has methods for face detection in images and also face identification or verifying. You can also create person groups and persons with multiple faces saved in Azure if you want.

But for my little demo I only need the face detect and verify methods.

So here is how this demo works:

If people upload new images to MIM Portal, I trigger an authorization workflow and get the current and new photo with an MIMWAL update resource activity and pass that data to a PowerShell script which then calls the Face API.

The PowerShell Script uploads both images to Azure to do a face detection within the image and then returns a faceId for each of the pictures. Images are saved 24 hours Azure.
Read more of this post

PowerShell Activity: Issues with GUIDs in Workflow Activities and Sync Rules

I recently faced a problem with GUIDs generated in a PowerShell Workflow Activity. As you can see in my previous blog posts I use the FIM PowerShell Workflow Activity a lot of times (nearly most the time).

Currently I’m working on provisioning of user accounts with exchange mailboxes, in addition I have to activate/create the Online Archive for users.

I’m following this blog article from Eihab Isaac for the correct attributes to set, except that I want to do all this with portal sync rules and declarative provisioning.
If you take a look at the article you can see that you have to provide a new GUID to the msExchArchiveGUID attribute in order to get the archive feature to work. Read more of this post

Remove leading zeros from attribute values with a portal sync rule custom expression

Note to Self.

Today I having the requirement of removing leading zeros from attribute employeeID.
Special situation is that employeeIDs can be range from 1 to 5 chars, like:

00002, 00013, 00204 and so on.

Looking at the possible function on sync rules first thought was that this would not be possible, but sometimes things can be easier than they look alike.

Simple replacing the 0 (zero) by spaces, then perform an LTrim and after that replacing the spaces back to 0 (zero) works very well.

So the portal sync rules custom expression goes like this:

ReplaceString(LTrim(ReplaceString(employeeID,"0"," "))," ","0")

 

A minimalistic FIM AAD sync connector solution for Windows Intune

After some DirSync implementations one of my FIM customers has the need for mobile device management with Windows Intune. So it seems a perfect time to me for my first implementation of the AAD Connector for FIM 2010 R2.

The customer had the following special requirements:

  • No Password Sync, instead using SSO with ADFS
  • Minimalistic set of attributes on users in the cloud (Corporate and legal issues)
  • Manual management of which user goes into the cloud or not (by helpdesk)
  • Usage of proxy connection for all servers incl. FIM (no direct internet connect)

I searched the internet a bit for configuration of the WAAD connector, but the technical reference ends at the step of adding attribute flows and other posts are mostly for complex scenarios (hybrid, multi-forest and so on).

So once again I had to figure it out by myself and I decided to put my solution on here for this minimalistic implementation. I will skip the installation and configuration of ADFS and WAP, the Azure AD configuration and also the firewall/proxy configuration. There is a lot of documentation out there for this. Bit I will give the one or the other hint on some facts.
To setup your Azure/Intune for SSO with ADFS follow the guide in your Azure/Intune portal.

Read more of this post

Error using the Null() function with IIF in FIM workflows

After some time I ran into the same error a second time, so I think it is worth a blog post to avoid this happening again in the future and in addition as information to you all.

So here is my situation:

From the HR system I’m importing Team Information which should only be used on initial creation of the users. So I have an attribute called PrimaryTeamInitial that on user create we copy over to the PrimaryTeam attribute in portal.

So what I have done is a workflow that triggers on update of the PrimaryTeamInitial attribute, which in normal cases only occurs once in the lifetime of an object.
(Why I don’t use the Create event I will tell you in possibly my next post).

The workflow uses a custom expression like in the screenshot below:

WrongUsage

Because I only need to check if the attribute PrimaryTeam is not present, but there is no function for that in FIM I used the IsPresent and try to do nothing when the IIF statement is true using the Null() function.

I tested the workflow by creating a new user with a PrimaryTeamInital set by HR and all seems to work fine.

However a day later I saw “System Events” with “Postprocessing Errors” in FIM portal and in addition there where the following eventlog errors.

System.InvalidOperationException: There was an error generating the XML document.
System.InvalidOperationException: The type Microsoft.MetadirectoryServices.FunctionLibrary.NoFlowSingleton was not expected. Use the XmlInclude or SoapInclude attribute to specify types that are not known statically.
   at System.Xml.Serialization.XmlSerializationWriter.WriteTypedPrimitive(String name, String ns, Object o, Boolean xsiType)
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationWriterRequestParameter.Write1_Object(String n, String ns, Object o, Boolean isNullable, Boolean needType)
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationWriterRequestParameter.Write9_UpdateRequestParameter(String n, String ns, UpdateRequestParameter o, Boolean isNullable, Boolean needType)
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationWriterRequestParameter.Write11_RequestParameter(Object o)
   --- End of inner exception stack trace ---
   at System.Xml.Serialization.XmlSerializer.Serialize(XmlWriter xmlWriter, Object o, XmlSerializerNamespaces namespaces, String encodingStyle, String id)
   at System.Xml.Serialization.XmlSerializer.Serialize(XmlWriter xmlWriter, Object o)
   at Microsoft.ResourceManagement.WebServices.WSResourceManagement.RequestType.AddParameter(RequestParameter parameter)
   at Microsoft.ResourceManagement.WebServices.WSResourceManagement.RequestType.SetRequestParameters(OperationType operation, UniqueIdentifier targetObject, List`1 requestParameters)
   at Microsoft.ResourceManagement.WebServices.WSResourceManagement.RequestType..ctor(UniqueIdentifier creator, UniqueIdentifier targetIdentifier, OperationType operation, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean maintenanceMode, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier objectId, OperationType operation, List`1 requestParameters, Guid parentRequest)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessPutWorkItem(UpdateRequestWorkItem updateWorkItem)
   at Microsoft.ResourceManagement.Workflow.Hosting.RequestWorkItemProcessor.ProcessWorkItem(WorkItem workItem)

After some investigation on the net I remember that I have similar errors is the past using the Null() function and so I changed the workflow like you can see in the screenshot below:

CorrectUsage

Now setting the attribute to the current attribute value in case IIF is true, the error is gone and all is working like expected without errors.

I am currently not quite sure if this error only occurs on reference attribute like my team attribute, but be careful using the Null() function if you want to do nothing it does not always work like you expect.

I wish all readers a merry Christmas and a happy new year.

Peter

%d bloggers like this: