Azure PIM: Internal Server Error (500) using PIM Graph API

Azure Active Directory_COLOR

I have some implementation where I created a MIM PowerShell Connector for Azure PIM (Privileged Identity Management. This Connector imports on-Premises AD groups and transfers the members to Azure PIM role assignments.

A couple of days ago the scripts of that connector throw errors in my implementation as well as at a customer.

I tried to reach the following endpoints in Graph Explorer and even there I get an error:

Graph Explorer states the following error:

  "error": {
    "code": "UnknownError",
    "message": "{"message":"An error has occurred."}",
  "innerError": {
    "request-id": "16e184f8-86cb-4424-abff-4fd3ac4a010e",
    "date": "2018-11-12T12:40:15"

While PowerShell throws an Internal Server Error (500) Continue reading “Azure PIM: Internal Server Error (500) using PIM Graph API”


Azure AD B2B Guest User Housekeeping Solution with MIM2016

It is quite easy in these modern times to invite and therefore add B2B guest users into your Azure AD tenant. Not only administrators but also users can simply invite any user of the world that has a valid email address (depending of the settings of your tenant).

While simply invite them, guest users will not have any permissions (beside login) to any resource of your tenant until permissions are assigned to them.

But a good identity management solution does not only care of creating identities but also remove them when no longer needed. Azure AD currently at time of writing this article does not provide any mechanism to get rid of unused guest accounts, it even does not provide a proper way to identity them.

There is no “LastLogin” attribute you can for example use, so you need to find the person who invited that guest and talk to him if it is still needed.

This is where my Azure AD B2B guest user “Housekeeping” solution can maybe help you. It provides a way to set your own “LastLogin” attribute on guest account and even track pending invitations and removes guest accounts after a defined time.

So how does it work:

  • Create an extension attribute to store the “LastLogin” as a DateTime
  • Import the Azure AD sign-in logs by MIM2016 with a PowerShell MA leveraging MS Graph Reporting API
  • Import B2B users by MIM with a PowerShell MA leveraging the AAD PowerShell Module V2 cmdlets
  • Aggregate sign-in logs to only get the newest login of a user
  • Set the extension attribute of those accounts and export it to AAD
  • Delete accounts after some time defined by an XML configuration file

Continue reading “Azure AD B2B Guest User Housekeeping Solution with MIM2016”

Azure AD B2B: How to bulk add guest users without invitation redemption.

Update: This does not work anymore as described, see my updated blog post on B2B redemption.


I think most of you are familiar with the concept of Azure AD Business-to-Business (B2B) where you can add users of other companies to your Azure AD tenant. This feature does not require the partner organization to already own or manage their own tenant; you can simply invite every user with an email address.

If the invited user already exists in an Azure AD tenant a guest user is created in your tenant that is linked to this user object in the foreign tenant.

If the invited user does not exists in an Azure AD tenant a shadow/unmanaged tenant is created behind the scenes for that user, additional users from the same domain will then created within this unmanaged tenant.

However, if you add a foreign user to your tenant an invitation mail is send to this user you add and the user has to redeem the invitation. By default, users are created as a guest user, which don’t have any permission (even read directory) in your tenant. Nevertheless, you can assign permissions like application permission, Azure AD or RBAC roles to such users.
Continue reading “Azure AD B2B: How to bulk add guest users without invitation redemption.”

Lithnet FIM/MIM Synchronization Service PowerShell Module released

Ryan Newington (Developer of FIM/MIM Lithnet PS Module, new FIM/MIM Service Client and RestAPI) already anounced new PowerShell Cmdlets for the FIM/MIM Synchronization Service on the last MIM Team User Group Meeting.

You can now download that module on github.

See documentation on the modules and also the disclaimer.

Download the FIM/MIM Sync PowerShell Module.

Great job again Ryan.

Here is a list of modules included:

Continue reading “Lithnet FIM/MIM Synchronization Service PowerShell Module released”

Authorize MIM Portal user image upload with Microsoft Cognitive Services

I saw these great videos from //build keynote some weeks ago about the Microsoft Cognitive Services and I was really impressed. I know these APIs like face, emotion, speech are designed for other purposes but I was thinking to myself on who to benefit from them for identity management.

So I remembered some time ago when talking about MIM Portal as a user self-service portal for personal data some customers find it is sometimes not a good idea if users can upload their own photos. The arguments where that photos cannot be validated in that way that it really belongs to that person. So people could upload for example funny pictures and avatars or even more bad images.

Sure, you can handle this by organizational policies, but I was thinking of a technical solution. At this point when thinking about Microsoft Cognitive Services the Face API came to my mind.

If you check the Face API it has methods for face detection in images and also face identification or verifying. You can also create person groups and persons with multiple faces saved in Azure if you want.

But for my little demo I only need the face detect and verify methods.

So here is how this demo works:

If people upload new images to MIM Portal, I trigger an authorization workflow and get the current and new photo with an MIMWAL update resource activity and pass that data to a PowerShell script which then calls the Face API.

The PowerShell Script uploads both images to Azure to do a face detection within the image and then returns a faceId for each of the pictures. Images are saved 24 hours Azure.
Continue reading “Authorize MIM Portal user image upload with Microsoft Cognitive Services”

MIM2016: Using Azure MFA in an Authorization Workflow with PowerShell

While thinking about Azure MFA and it’s usage in MIM for password reset or as authorization step when requesting a PAM role, I thought to myself, why not use this as an workflow activity in an authorization workflow. For example when requesting a group membership. Sadly you can not configure the OOB MFA activities that comes with MIM.

So why not doing it on my own, using the Azure MFA SDK. And I find out it’s quite simple so far.
This demo approves a member join to a group by Azure MFA with a phone call, you have to anser the call with a # to get into the group. The MobilePhone attribute of your MIM Portal users have to be set to a valid number for this demo to work.
Continue reading “MIM2016: Using Azure MFA in an Authorization Workflow with PowerShell”

Assign Azure/O365 licenses based on AD group membership


just a short post today.

I thgought it might be a good idea to share more scripts in future, so here is the first one to assign Azure/O365 licenses based on AD group membership.
EMS/AADP and RMS licenses can also be assigned directly in Azure using group memberships but you still have to handle O365 licenses by your own with scripts.

So at some customers I have the reqirement to also manage O365 licenses after synchronizing objects with AADConnect, so I decided to manage all licenses with script.

This script still need some improvement in security (PW stored in file) but you can modify that like you want.
Also I do not cover License Option of O365 Licenses, instead the complete O365 features will be assigned.

Continue reading “Assign Azure/O365 licenses based on AD group membership”