New versions of additonal FIM/MIM connectors released

New version of the additional FIM/MIM connectors are relased some days ago.

This connector package contains the following connectors:

• Generic LDAP Connector
• Generic SQL Connector
• Web Services Connector
• PowerShell Connector
• Lotus Domino Connector

There are a couple of fixes and enhancements on those connectors, you can get the complete list from the version release history:

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-connector-version-history

(And yes, the placement of the documentation also makes no sense to me since these are FIM/MIM only connectors)

Connectors can be downloaded from here: https://www.microsoft.com/en-us/download/details.aspx?id=51495

 

MIM Portal: regular user access and unable to process your request

Getting the error „Unable to process your request“, is a common issue a lot of people are facing when accessing the FIM/MIM portal a regular user.

There are a lot of forums discussions and blog posts around that issue and how to solve it.

However, I think I found another reason why that issue can occur even if that will not be a common scenario for most people but still worth to write about it in my opinion.

Continue reading “MIM Portal: regular user access and unable to process your request”

Lithnet FIM/MIM Synchronization Service PowerShell Module released

Ryan Newington (Developer of FIM/MIM Lithnet PS Module, new FIM/MIM Service Client and RestAPI) already anounced new PowerShell Cmdlets for the FIM/MIM Synchronization Service on the last MIM Team User Group Meeting.

You can now download that module on github.

See documentation on the modules and also the disclaimer.

Download the FIM/MIM Sync PowerShell Module.

Great job again Ryan.

Here is a list of modules included:

Continue reading “Lithnet FIM/MIM Synchronization Service PowerShell Module released”

Create PAM (Privileged Access Management) Mobile Apps with PowerApps

Maybe you already read my last blog post about using PowerApps for Microsoft Identity Manager where you find a definitions file for the Lithnet RestAPI for MIM to create a custom API for PowerApps. If not, please do so for some basic information’s.

I also will present the MIM and PAM PowerApps solution with some detailed information on the next MIM Team User Group meeting on June 15.

This time I give to all of you the swagger JSON definition file for the Privileged Access Management (PAM) RestAPI around with a demo PowerApp.

The swagger JSON and YAML files contains all the API calls that PAM provides, so you can do the following:

• Get a list of all PAM roles you are a candidate for
• Get the PAM role request history
• Request a PAM role and also Cancel your request before TTL exceeds
• Get a list of all PAM role requests you should approve
• Approve of Reject a PAM role request

Since PowerApps is still a preview feature you might have some issues like I have, but I was able to test all scenarios mentioned above.
Continue reading “Create PAM (Privileged Access Management) Mobile Apps with PowerApps”

MIMTeam User Group: MIM Handbook and upcomming MIM features

At the last MIM Team Usergroup meeting last week, David Steadman and Jeff Ingalls talked about their journey of writing the upcomming new MIM 2016 Handbook which is expected to be released in July.

Beside some very interesting facts on their experience and some funny things, there where one slide from David talking abount upcomming MIM 2016 CTP (preview) feature which fill then be comming to MIM GA some time in future.

Here is a screenshot of that slide:

One of the most interesting facts I think is the support of Exchange Online for approvals, so you do not need to have your FIMService mailbox be onPremises, while you are maybe having already all other mailboxes migrated to O365.

Also all the feedback seems to be recognized by Microsoft so we can see their will be a PAM Single forest deployment scenario.

A lot of you I guess will also like the Cross Browser Support for MIM components lile SSPR and Portal.

So stay tuned for that and have a look to Microsoft Connect (Identity and AccessManagement Site) where those new CTPs will arrive.

 

Creating Mobile Apps for MIM with PowerApps and Lithnet RestAPI

I recently take a look into the Preview of Microsoft PowerApps and also Microsoft Flow. There are some really cool examples and templates for PowerApps and I also like that it is possible to create custom API connection for nearly every RestAPI.

When thinking on MIM we have that great Lithnet RestAPI from Ryan Newington and so a new project was born in my spare private time. Here are the results.

In order to create a connector in PowerApps for custom APIs we need a Swagger JSON definition file which describes the API (calls, parameters and so on). You can easily create such a definition file with the Swagger Editor in YAML. (Don’t worry, I’ve done this for you).

If you want to take a better look to the API definition file, go to http://editor.swagger.io and paste the YAML or JSON file of the Lithnet RestAPI into the editor. You will find both files at the end of the post.

These are the steps to setup the environment and create a simple PowerApp:

Install Lithnet Rest API:

First we assume you have a running MIM 2016 or FIM 2012 R2 installation. In that solution install the Lithnet FIM/MIM RestAPI according to the documentation: http://lithnetrmws.codeplex.com

Continue reading “Creating Mobile Apps for MIM with PowerApps and Lithnet RestAPI”

Authorize MIM Portal user image upload with Microsoft Cognitive Services

I saw these great videos from //build keynote some weeks ago about the Microsoft Cognitive Services and I was really impressed. I know these APIs like face, emotion, speech are designed for other purposes but I was thinking to myself on who to benefit from them for identity management.

So I remembered some time ago when talking about MIM Portal as a user self-service portal for personal data some customers find it is sometimes not a good idea if users can upload their own photos. The arguments where that photos cannot be validated in that way that it really belongs to that person. So people could upload for example funny pictures and avatars or even more bad images.

Sure, you can handle this by organizational policies, but I was thinking of a technical solution. At this point when thinking about Microsoft Cognitive Services the Face API came to my mind.

If you check the Face API it has methods for face detection in images and also face identification or verifying. You can also create person groups and persons with multiple faces saved in Azure if you want.

But for my little demo I only need the face detect and verify methods.

So here is how this demo works:

If people upload new images to MIM Portal, I trigger an authorization workflow and get the current and new photo with an MIMWAL update resource activity and pass that data to a PowerShell script which then calls the Face API.

The PowerShell Script uploads both images to Azure to do a face detection within the image and then returns a faceId for each of the pictures. Images are saved 24 hours Azure.
Continue reading “Authorize MIM Portal user image upload with Microsoft Cognitive Services”

MIM2016: Using Azure MFA Mobile App Auth in authorization workflows

This is a follow-up post to my article regarding Azure MFA used in an authorization workflow for MIM 2016. You can get some details on the scenario from that post.

As a limitation the Azure MFA SDK can only be used for Phone or SMS (one-way, two-way) authentication but not with the mobile app method. That’s because of mobile app uses a Web Service to get messages pushed and this one needs to be implemented with MFA-Server.

But I find it a neat solution to have an authorization task for an approval of group membership with using the mobile app. There are a couple of things needed to get this working:

• Azure MFA Server
• Installation of Web Service SDK
• Installation of Web Service for Mobile App
• Public Trusted Certificate (or Self Signed for demo lab like I did)
• Optionally: Azure MFA User Portal (For user registering mobile app with QR-Code)

I do not explain how to install these components because there is a lot of very good documentation out there. I used the following one which worked like charm:

https://4sysops.com/archives/azure-multi-factor-authentication-part-4-portals/

Continue reading “MIM2016: Using Azure MFA Mobile App Auth in authorization workflows”

MIM2016: Using Azure MFA in an Authorization Workflow with PowerShell

While thinking about Azure MFA and it’s usage in MIM for password reset or as authorization step when requesting a PAM role, I thought to myself, why not use this as an workflow activity in an authorization workflow. For example when requesting a group membership. Sadly you can not configure the OOB MFA activities that comes with MIM.

So why not doing it on my own, using the Azure MFA SDK. And I find out it’s quite simple so far.
This demo approves a member join to a group by Azure MFA with a phone call, you have to anser the call with a # to get into the group. The MobilePhone attribute of your MIM Portal users have to be set to a valid number for this demo to work.
Continue reading “MIM2016: Using Azure MFA in an Authorization Workflow with PowerShell”

MIMWAL: Time limited group membership (aka simple PAM solution)

Yes, it’s me again and Yes with MIMWAL again 😉

When talking with people about Privileged Access Management (PAM) scenario of my, I often get asked if the dedicated PAM forest is required. The aswer is yes, this is by design and also a very important security feature of the solution as you can never be sure your current forest is not already compromised. Also you can have the PAM forest more secure and some other benefits.

However having time limited group can also be useful in a one forest/domain scenario. So I played around a bit in my demolab and tried to build a simply PAM like solution with help of the Microsoft Workflow Activity Library (MIM WAL).

Description and benefits of my demo scenario:

• Having time limited group membership
• Duration of group membership can be modified
• Can be initiated by users directly or by admins/helpdesk
• Users get notified when their group membership expires

Continue reading “MIMWAL: Time limited group membership (aka simple PAM solution)”