Yesterday Microsoft released an important Hotfix rollup package for MIM 2016 SP1, the build number is 4.5.286.0.
Info: Hotfix rollup package (build 4.5.286.0) is available for Microsoft Identity Manager 2016 Service Pack 1
Download: Update for Microsoft Identity Manager 2016 SP1 (KB4469694)
The main issue fixed is the following:
After installing MIM build 126.96.36.199 or 188.8.131.52, the ma-data objects are deleted and not recreated in the FIMService, causing all synchronization rules to fail. After installing this update, this problem no longer happens.
Both builds causing the issue are still listed but not available for download any more. But if you installed one of the above hotfixes I highly recommend to update to the lastest hotfix.
The issue was also discussed here: MIM Portal Sync Rules have become orphaned
After I upgraded my MIM 2016 test lab to hotfix build 184.108.40.206 I recognized that the MIM portal sync rules became orphaned (broken) when I let them all recreate by setting the password on the MIMService MA again.
Some users also reported that in the following FIM/MIM TechNet Forum post: https://social.technet.microsoft.com/Forums/en-US/e0e6e2db-46e1-4638-bdfb-4436b8f53ae1/mim-portal-sync-rules-have-become-orphaned?forum=ilm2
I already answered there with some points that I found out while debugging the issue.
Like the guy in the forum I also tried to update to the latest hotfix 220.127.116.11 but that does not solve the issue, and it might be possible that you also run into this issue when only applying 18.104.22.168.
The error is like following:
Continue reading “MIM 2016 sync rules become orphaned (broken) after update to 22.214.171.124”
It is quite easy in these modern times to invite and therefore add B2B guest users into your Azure AD tenant. Not only administrators but also users can simply invite any user of the world that has a valid email address (depending of the settings of your tenant).
While simply invite them, guest users will not have any permissions (beside login) to any resource of your tenant until permissions are assigned to them.
But a good identity management solution does not only care of creating identities but also remove them when no longer needed. Azure AD currently at time of writing this article does not provide any mechanism to get rid of unused guest accounts, it even does not provide a proper way to identity them.
There is no “LastLogin” attribute you can for example use, so you need to find the person who invited that guest and talk to him if it is still needed.
This is where my Azure AD B2B guest user “Housekeeping” solution can maybe help you. It provides a way to set your own “LastLogin” attribute on guest account and even track pending invitations and removes guest accounts after a defined time.
So how does it work:
- Create an extension attribute to store the “LastLogin” as a DateTime
- Import the Azure AD sign-in logs by MIM2016 with a PowerShell MA leveraging MS Graph Reporting API
- Import B2B users by MIM with a PowerShell MA leveraging the AAD PowerShell Module V2 cmdlets
- Aggregate sign-in logs to only get the newest login of a user
- Set the extension attribute of those accounts and export it to AAD
- Delete accounts after some time defined by an XML configuration file
Continue reading “Azure AD B2B Guest User Housekeeping Solution with MIM2016”
A new version of the very helpful FIM/MIM Configuration Documenter is available.
You can get ist from the GitHub repo: https://github.com/Microsoft/MIMConfigDocumenter/releases
Beside some fixes there are also some significant performance improvements:
- Performance improvements. The configuration report should get generated much more quickly now.
- Fixed an issue where a configuration setting did not render correctly if it had html markup characters.
You can find the requirements and instructions for usage in the projects Wiki page.
A large new hotfix rollup package is available for Microsoft Identity Manager 2016 SP1 (MIM 2016).
It has a lot of fixes and enhancements in it. Build Version is 126.96.36.199.
Hotfix rollup package (build 188.8.131.52) is available for Microsoft Identity Manager 2016 SP1
You can download it from here.
Continue reading “Hotfix rollup package is available for MIM 2016 SP1 (Build 184.108.40.206)”
My fellow MVP Jeff Ingalls released a new cool tool to check your MIM solution against well known best practices. There was a FIM 2010 R2 BPA (Best practice analyzer) in the past but that tool has not get updates for a long time.
So Jeff decided to create his own tool putting in all the know best practices spread over the internet.
These are the bullet points of MIMCheck:
A read-only, stand-alone, remote, command-line tool that performs Microsoft Identity Manager best practice analysis checks.
Version 1.0 features include:
- 38 best practice task checks including data integrity checks of the synchronization service database
- Run an entire category of tasks: syncserver, portalserver, syncdb, portaldb
- Manually specify synchronization or portal server names, ports, instance names, and database names
- Export all tasks, description, and references to output without performing any action
- Verbose output which includes task names, which can be used to run the task individually, requirements to run the task, reference(s) for further reading, a description of the task, number of errors, and a task result.
- Redirection of output to a datetime name stamped file for periodic automation
- Digitally signed
- Licensing options available for consultants and consulting companies who which to use the product as a service and/or charge for the use of the software.
You can download the tool from here: http://www.ingallsdesigns.com/downloads.html
You can drop Jeff a mail for feedback or feature requests.
He did also a small presentation of the tool at the MIM Team User Group meeting yesterday, so you can wait for the recording of that presentation available on the Unify Solutions youtube channel within a few days.
The Identity community project team has recently released the MIM Configuration Documenter on GitHub as an open source project.
Its a very cool and easy tool to document your MIM solution (Sync and Service).
It also supports MIMWAL.
The main intend of that tool is:
- Document deployment configuration details for the MIM / FIM solution!
- Track any configuration changes you have made since a specific baseline!!
- Build confidence in getting things right when making changes to the deployed solution!!
Current Version 1.17.0522.0 is the public beta which has limitation one some Management Agents but I’m sure there is more to come.
You can download precompiled binaries and source code from the Microsoft Repo: