Azure AD B2B: How to bulk add guest users without invitation redemption.

I think most of you are familiar with the concept of Azure AD Business-to-Business (B2B) where you can add users of other companies to your Azure AD tenant. This feature does not require the partner organization to already own or manage their own tenant; you can simply invite every user with an email address.

If the invited user already exists in an Azure AD tenant a guest user is created in your tenant that is linked to this user object in the foreign tenant.

If the invited user does not exists in an Azure AD tenant a shadow/unmanaged tenant is created behind the scenes for that user, additional users from the same domain will then created within this unmanaged tenant.

However, if you add a foreign user to your tenant an invitation mail is send to this user you add and the user has to redeem the invitation. By default, users are created as a guest user, which don’t have any permission (even read directory) in your tenant. Nevertheless, you can assign permissions like application permission, Azure AD or RBAC roles to such users.
Read more of this post

Lithnet FIM/MIM Synchronization Service PowerShell Module released

Ryan Newington (Developer of FIM/MIM Lithnet PS Module, new FIM/MIM Service Client and RestAPI) already anounced new PowerShell Cmdlets for the FIM/MIM Synchronization Service on the last MIM Team User Group Meeting.

You can now download that module on github.

See documentation on the modules and also the disclaimer.

Download the FIM/MIM Sync PowerShell Module.

Great job again Ryan.

Here is a list of modules included:

Read more of this post

Authorize MIM Portal user image upload with Microsoft Cognitive Services

I saw these great videos from //build keynote some weeks ago about the Microsoft Cognitive Services and I was really impressed. I know these APIs like face, emotion, speech are designed for other purposes but I was thinking to myself on who to benefit from them for identity management.

So I remembered some time ago when talking about MIM Portal as a user self-service portal for personal data some customers find it is sometimes not a good idea if users can upload their own photos. The arguments where that photos cannot be validated in that way that it really belongs to that person. So people could upload for example funny pictures and avatars or even more bad images.

Sure, you can handle this by organizational policies, but I was thinking of a technical solution. At this point when thinking about Microsoft Cognitive Services the Face API came to my mind.

If you check the Face API it has methods for face detection in images and also face identification or verifying. You can also create person groups and persons with multiple faces saved in Azure if you want.

But for my little demo I only need the face detect and verify methods.

So here is how this demo works:

If people upload new images to MIM Portal, I trigger an authorization workflow and get the current and new photo with an MIMWAL update resource activity and pass that data to a PowerShell script which then calls the Face API.

The PowerShell Script uploads both images to Azure to do a face detection within the image and then returns a faceId for each of the pictures. Images are saved 24 hours Azure.
Read more of this post

MIM2016: Using Azure MFA in an Authorization Workflow with PowerShell

While thinking about Azure MFA and it’s usage in MIM for password reset or as authorization step when requesting a PAM role, I thought to myself, why not use this as an workflow activity in an authorization workflow. For example when requesting a group membership. Sadly you can not configure the OOB MFA activities that comes with MIM.

So why not doing it on my own, using the Azure MFA SDK. And I find out it’s quite simple so far.
This demo approves a member join to a group by Azure MFA with a phone call, you have to anser the call with a # to get into the group. The MobilePhone attribute of your MIM Portal users have to be set to a valid number for this demo to work.
Read more of this post

Assign Azure/O365 licenses based on AD group membership

Hello,

just a short post today.

I thgought it might be a good idea to share more scripts in future, so here is the first one to assign Azure/O365 licenses based on AD group membership.
EMS/AADP and RMS licenses can also be assigned directly in Azure using group memberships but you still have to handle O365 licenses by your own with scripts.

So at some customers I have the reqirement to also manage O365 licenses after synchronizing objects with AADConnect, so I decided to manage all licenses with script.

This script still need some improvement in security (PW stored in file) but you can modify that like you want.
Also I do not cover License Option of O365 Licenses, instead the complete O365 features will be assigned.

Read more of this post

A minimalistic FIM AAD sync connector solution for Windows Intune

After some DirSync implementations one of my FIM customers has the need for mobile device management with Windows Intune. So it seems a perfect time to me for my first implementation of the AAD Connector for FIM 2010 R2.

The customer had the following special requirements:

  • No Password Sync, instead using SSO with ADFS
  • Minimalistic set of attributes on users in the cloud (Corporate and legal issues)
  • Manual management of which user goes into the cloud or not (by helpdesk)
  • Usage of proxy connection for all servers incl. FIM (no direct internet connect)

I searched the internet a bit for configuration of the WAAD connector, but the technical reference ends at the step of adding attribute flows and other posts are mostly for complex scenarios (hybrid, multi-forest and so on).

So once again I had to figure it out by myself and I decided to put my solution on here for this minimalistic implementation. I will skip the installation and configuration of ADFS and WAP, the Azure AD configuration and also the firewall/proxy configuration. There is a lot of documentation out there for this. Bit I will give the one or the other hint on some facts.
To setup your Azure/Intune for SSO with ADFS follow the guide in your Azure/Intune portal.

Read more of this post

Using AuthZ Workflows on FIM built-in service account changes [Workaround]

As everybody knows the two FIM built-in accounts “Forefront Identity Manager Service Account” and “Built-in synchronization account” will bypass all AuthZ workflows.

So by default you are not able to do approvals for example on changes by these accounts.
In addition you cannot have AuthZ workflows on set transition, only Action workflows are allowed here.

But a customer wants to final delete accounts 180 days after deactivation.
This action should be approved by a helpdesk administrator because there are some manual and non-technical tasks to do before this should happen.

Hmmm, so with the above restrictions, what to do?

I used the FIM PowerShell Activity a lot in that customer solution, and I remember that changes done by this activity runs in the context of a normal user account (from FIMs perspective) which is the service account of the FIM web service (svcFIMService in my case).

In order to allow updates to the FIM service by this account via the Export-FIMConfig and Import-FIMConfig cmdlets I created this account in portal and grant permissions to the necessary objects.
If it does not exists, just create this account with the following attributes set:

  • DisplayName
  • AccountName (sAMAccountName from FIM webservice account in AD)
  • Domain
  • ObjectSID (from AD)

(You should manually create this account, as I got into trouble when I try to synchronize this account to FIM portal)

How to use this:

I created a workflow with the PowerShell activity which sets an attribute I created on user account, let’s say DoFinalDelete, to a value of true.

I created a MPR which fires these workflow when users transition into my set “Users with disableDate older than 180 days”.
(Btw. this disableDate is also set by a powershell workflow activity, as you can imagine)

Now I’m able to create an MPR with an AuthZ workflow to approve this change of the account svcFIMService and after that can trigger all other MPRs and workflows I want.
So in my scenario I import the DoFinalDelete attribute to MV and trigger deprovisioning on the objects in the provisioning code of my MV extension using the DeprovisionAll() method, which then triggers all the defined actions on my MA’s regarding to their deprovisioning configurations.

So once again this great piece of code “FIM PowerShell Activity” from Craig Martin and Brian Desmond is like a Swiss army knife for me. (thx guys)
You can do nearly all with PowerShell and only have to maintain one custom activity in FIM Portal, which made upgrades and migrations much easier.

%d bloggers like this: