Auditing Azure AD Registered Applications

Azure AD Registered Applications are the Azure AD version of Active Directory Service Accounts. Over time, the number of them grow and grow, each having permissions to consume information from Azure AD and or Microsoft Graph. As an Administrator of Azure AD there is maintenance associated with these Registered Applications, namely credential validity and more important application validity.

Credential expiration associated with Azure AD Registered Applications is quickly visible via the Azure Portal. We can quickly see Current, Expired and Expiring Soon credentials as shown in the screenshot below.… [Keep reading] “Auditing Azure AD Registered Applications”

Choosing and using a Hardware Security Token for Azure AD Passwordless Authentication

Evaluation criteria for product selection can be a difficult process, especially for items that are rarely purchased. We’ve become accustomed to working out what we want from daily use items such as laptops, and mobile phones which does make that process easier when we refresh them every few years. However, choosing a hardware security token is maybe something you haven’t ever had to do.

So how do I choose a Hardware Security Token? This post outlines some selection criteria I’ve recently used to assist others with answering “Which Hardware Security Token do I need?”… [Keep reading] “Choosing and using a Hardware Security Token for Azure AD Passwordless Authentication”

ChatOps for Azure Active Directory

Last year I wrote Lithnet Microsoft Identity Manager plug-ins for PoshBot. After publishing those I developed the majority of a PoshBot plugin to enable ChatOps for Azure Active Directory. Finally with a little more bandwidth at the start of 2020 I’ve been able to put the finishing touches on the module and release it. ChatOps for Azure Active Directory using PoshBot is available from the PowerShell Gallery here and the source in GitHub here.… [Keep reading] “ChatOps for Azure Active Directory”

Sending and Querying Custom Log Data to Azure Monitor Logs

Recently for a customer engagement we had the requirement to take log data from a 3rd party application and ingest it into Azure Log Analytics to make the data available in Azure Monitor. Sending Custom Log Data to Azure Monitor Logs is currently in Public Preview. This Microsoft article provides an overview of the capability.

In addition to the standard tiers of an application, you may need to monitor other resources that have telemetry that can’t be collected with the other data sources.[Keep reading] “Sending and Querying Custom Log Data to Azure Monitor Logs”

SailPoint IdentityNow Email Templates Configuration Report

SailPoint IdentityNow has numerous Email Templates associated with the solution. It is pertinent to have a backup of customisations to IdentityNow Email templates. I’ve previously documented examples for generating configuration reports and configuration backups for;

This post details exporting email templates configuration and generating an HTML IdentityNow Email Template Report.

The script (further below) leverages the SailPoint IdentityNow PowerShell Module to generate the HTML IdentityNow Email Template Report.… [Keep reading] “SailPoint IdentityNow Email Templates Configuration Report”

SailPoint IdentityNow Security Configuration Report

An IdentityNow Security Configuration Report of a SailPoint IdentityNow environment is a valuable artefact to have. I’ve previously documented examples for generating reports for;

But what about the configuration of items such as;

  • Global Security Settings Details
  • IWA Configuration Details
  • SSO SP Configuration Details
  • SSO IDP Configuration Details

The script (further below) leverages the SailPoint IdentityNow PowerShell Module to generate a HTML report of the configuration items listed above. It also exports the configuration of each of the above features to the output directory in XML format using the PowerShell Export-Clixml command.… [Keep reading] “SailPoint IdentityNow Security Configuration Report”

Release 1.0.6 SailPoint IdentityNow PowerShell Module

I’ve just published v1.0.6 of the SailPoint IdentityNow PowerShell Module to both GitHub and the PowerShell Gallery. The Version 1.0.6 SailPoint IdentityNow PowerShell Module is a major update as it removes the previous dependency on the PowerShell Community Extensions (PSCX) module that was previously being used for its’ cryptography functions.

Key Updates;

  • The SailPoint IdentityNow PowerShell Module no longer has a dependency on the PowerShell Community Extensions (PSCX) module
    • Whilst this simplifies the dependencies it also means that the SailPoint IdentityNow PowerShell Module is now PowerShell Core compatible.
[Keep reading] “Release 1.0.6 SailPoint IdentityNow PowerShell Module”

x.509 Details – A PowerShell Module for decoding x.509 Certificates with time to certificate expiry

I’ve just published my X509Details PowerShell Module to the PowerShell Gallery. The x.509 Details PowerShell Module contains the Get-X509Details cmdlet that decodes a base64 encoded PEM/CER format x.509 Certificate and converts it to a PowerShell Object. But wait, there’s more. The reason I created the x.509 Details PowerShell Module is because through automation I need to know what is the ‘Expiry Date’ for a certificate. The returned PowerShell Object from my Get-X509Details cmdlet in the X509Details Module also includes the expiry date-time in PowerShell DateTime format as ‘timeToExpiry‘.… [Keep reading] “x.509 Details – A PowerShell Module for decoding x.509 Certificates with time to certificate expiry”

Configuring a SailPoint IdentityNow Workday Source for additional Response Groups

The SailPoint IdentityNow Workday Source by default will retrieve the standard Workday records and associated metadata for employees and contingent workers. However, if you want to retrieve less or additional information from Workday you need to update the configuration for the Workday Response Groups. My first few attempts at modifying the IdentityNow Workday Source for additional response groups appeared to update the configuration as requested. However, on running an aggregation on the Workday source I’d receive the following error message;

[ ConnectorException ] [ Error details ] java.lang.Boolean
[Keep reading] “Configuring a SailPoint IdentityNow Workday Source for additional Response Groups”

SailPoint IdentityNow Active Directory Source TLS Configuration

Recently I needed to enable a SailPoint IdentityNow Active Directory Source to use TLS. Looking for information on how to complete this saw me read many articles in SailPoint Compass. However, none of them were written specifically for IdentityNow Active Directory Source TLS Configuration. Mostly they were for the IQService and Identity IQ. Putting pieces of this information together I got an existing Source (even though it is mentioned this shouldn’t work) updated and working for TLS.… [Keep reading] “SailPoint IdentityNow Active Directory Source TLS Configuration”