MIM Configuration Documenter released on GitHub

The Identity community project team has recently released the MIM Configuration Documenter on GitHub as an open source project.

Its a very cool and easy tool to document your MIM solution (Sync and Service).
It also supports MIMWAL.

The main intend of that tool is:

  • Document deployment configuration details for the MIM / FIM solution!
  • Track any configuration changes you have made since a specific baseline!!
  • Build confidence in getting things right when making changes to the deployed solution!!

Current Version 1.17.0522.0 is the public beta which has limitation one some Management Agents but I’m sure there is more to come.

You can download precompiled binaries and source code from the Microsoft Repo:

https://github.com/Microsoft/MIMConfigDocumenter

 

Create PAM (Privileged Access Management) Mobile Apps with PowerApps

Maybe you already read my last blog post about using PowerApps for Microsoft Identity Manager where you find a definitions file for the Lithnet RestAPI for MIM to create a custom API for PowerApps. If not, please do so for some basic information’s.

I also will present the MIM and PAM PowerApps solution with some detailed information on the next MIM Team User Group meeting on June 15.

This time I give to all of you the swagger JSON definition file for the Privileged Access Management (PAM) RestAPI around with a demo PowerApp.

The swagger JSON and YAML files contains all the API calls that PAM provides, so you can do the following:

  • Get a list of all PAM roles you are a candidate for
  • Get the PAM role request history
  • Request a PAM role and also Cancel your request before TTL exceeds
  • Get a list of all PAM role requests you should approve
  • Approve of Reject a PAM role request

Since PowerApps is still a preview feature you might have some issues like I have, but I was able to test all scenarios mentioned above.
Read more of this post

Authorize MIM Portal user image upload with Microsoft Cognitive Services

I saw these great videos from //build keynote some weeks ago about the Microsoft Cognitive Services and I was really impressed. I know these APIs like face, emotion, speech are designed for other purposes but I was thinking to myself on who to benefit from them for identity management.

So I remembered some time ago when talking about MIM Portal as a user self-service portal for personal data some customers find it is sometimes not a good idea if users can upload their own photos. The arguments where that photos cannot be validated in that way that it really belongs to that person. So people could upload for example funny pictures and avatars or even more bad images.

Sure, you can handle this by organizational policies, but I was thinking of a technical solution. At this point when thinking about Microsoft Cognitive Services the Face API came to my mind.

If you check the Face API it has methods for face detection in images and also face identification or verifying. You can also create person groups and persons with multiple faces saved in Azure if you want.

But for my little demo I only need the face detect and verify methods.

So here is how this demo works:

If people upload new images to MIM Portal, I trigger an authorization workflow and get the current and new photo with an MIMWAL update resource activity and pass that data to a PowerShell script which then calls the Face API.

The PowerShell Script uploads both images to Azure to do a face detection within the image and then returns a faceId for each of the pictures. Images are saved 24 hours Azure.
Read more of this post

MIMWAL: Time limited group membership (aka simple PAM solution)

Yes, it’s me again and Yes with MIMWAL again 😉

When talking with people about Privileged Access Management (PAM) scenario of my, I often get asked if the dedicated PAM forest is required. The aswer is yes, this is by design and also a very important security feature of the solution as you can never be sure your current forest is not already compromised. Also you can have the PAM forest more secure and some other benefits.

However having time limited group can also be useful in a one forest/domain scenario. So I played around a bit in my demolab and tried to build a simply PAM like solution with help of the Microsoft Workflow Activity Library (MIM WAL).

Description and benefits of my demo scenario:

  • Having time limited group membership
  • Duration of group membership can be modified
  • Can be initiated by users directly or by admins/helpdesk
  • Users get notified when their group membership expires

Read more of this post

MIMWAL: Update set membership based on group membership

This is another post based on my current experiences with the Microsoft Workflow Activity Library aka MIM WAL.

Of course you can do ths with a own custom activity or PowerShell activity but both requires a lot of code to maintain. I saw this question on how to update set members based on group members a lot of times in the TechNet forum and as you now due to limitation of FIM / MIM you can not do that with OoB functions.

But with the MIMWAL there is now an fast and reliable solution for that, so you can for example grant permissions in Portal (indirectly) based on AD groups.

The scenario for this example is like following:

  • I assume we have a set and a group with the same DisplayName. ( _ModifySetByGroup in this example)
  • We want to completly have the group and set membership in sync
  • I want to use only one workflow for multiple groups

Read more of this post

MIMWAL: Add new users to default groups

I recently started to have a look on the Microsoft Workflow Activity Library (WAL or MIM/FIM WAL) that was given to public some time ago.

In my current projects I used the PowerShell activity in a lot of time to do things that can’t be done with OOB functions that comes with FIM/MIM.

One of those things is doing a one-time member add to default groups for new users. I’ve done this with PowerShell but you have to make use of the FIMAutomation cmdlets that do updates through FIM/MIM WebService and as everyone knows this is not the fastest way. I could get some performance enhancements using the Lithnet PowerShell Module.

So I took a look on how to do that with MIMWAL and here are the results:
Read more of this post

%d bloggers like this: