Graphically Visualizing Identity Hierarchy and Relationships

24th of November, 2017 / / 1 Comment

Almost 15 years ago Microsoft released Microsoft Identity Integration Server (MIIS) 2003. Microsoft also released a couple of Resource Toolkits for MIIS to assist customers and IT Integrators’ implement the product as up to that time it’s predecessor (Microsoft Metadirectory Services) was only available as part of a Microsoft Consulting engagement.
At the same time Microsoft provided a Beta product – Microsoft PolyArchy Server. For someone who’s brain is wired in highly visually way, this was a wow moment.… [Keep reading] “Graphically Visualizing Identity Hierarchy and Relationships”

A modern way to track FIM/MIM Attribute Value History utilizing Power BI

20th of November, 2017 / / No Comments

Introduction

Microsoft Identity Manager is fantastic for keeping data consistent between connected systems. Often however you want to know what a previous value of an attribute was. FIM/MIM however can only tell you the current value and the Management Agent it was received on and when.
In the past where I’ve had to provide a solution to either make sure an attribute has a unique value forever (e.g email address or loginID (don’t reuse email addresses or loginID)) or just attribute value history I’ve used two different approaches;

  • Store previous values in an SQL Table and have an SQL MA that flows out the values
  • Store historical values in a Multi-Valued attribute on the user object in the Metaverse

Both are valid approaches but often fall down when you want to quickly get a report on that metadata.… [Keep reading] “A modern way to track FIM/MIM Attribute Value History utilizing Power BI”

MIM configuration version control with Git

8th of November, 2017 / / No Comments

The first question usually asked when something goes wrong: What changed?
Some areas of FIM/MIM make it easy to answer that question, some more difficult. If the Reporting Services components haven’t been installed (pretty common), history within the Portal/Service is only retained for 30 days by default, but also contains all data changes not just configuration changes. So, how do we track configuration change?
I was inspired by colleague Darren Robinson’s post “Automate the nightly backup of your Development FIM/MIM Sync and Portal Servers Configuration“, but wanted more detail, automatic differences, and handy visualisation.… [Keep reading] “MIM configuration version control with Git”

Validate Your Authoritative Sources – Creating a Fuse for FIM/MIM Import and Sync run cycles

18th of October, 2017 / / No Comments

 

Introduction

The Microsoft Identity Manager Synchronisation Engine has been around for close to 20 years and is highly functional and very reliable.
The Achilles heal though for any IDAM Sync Engine will always be an authoritative source and the information it provides to the Sync Engine.
I’m seeing more and more SaaS services being used as the Authoritative Source for identity management systems. Think Success Factors and Workday. Connecting across the internet to these and the rate of change within organisations means the amount of change data I’m seeing as well as the common human factor of changes en-mass means it is even more important to validate your import feeds before processing through your Sync Engines business logic.… [Keep reading] “Validate Your Authoritative Sources – Creating a Fuse for FIM/MIM Import and Sync run cycles”

Continuous Credential Prompt when accessing MIM Password Registration Portal

20th of September, 2017 / / 4 Comments

First published at https://nivleshc.wordpress.com
Recently I was at a customer site, setting up a Microsoft Identity Manager (MIM) 2016 environment, which included the deployment of the Self Service Password Registration and Self Service Password Reset portals. For additional security, I was using Kerberos instead of the default NTLM.
I finished installing the MIM Portal, Service, Password Registration and Password Reset Portals without any issues.
I then proceeded to securing all http endpoints by enabling them for SSL and after that removing the http bindings, so that you could access the MIM Portal, Password Registration and Password Reset Portals only via https.… [Keep reading] “Continuous Credential Prompt when accessing MIM Password Registration Portal”

Automatically Provision Azure AD B2B Guest Accounts

19th of September, 2017 / / 4 Comments

Azure ‘Business to Business’ (or the catchy acronym ‘B2B’) has been an area of significant development in the last 12 months when it comes to providing access to Azure based applications and services to identities outside an organisation’s tenancy.
Recently, Ryan Murphy (who has contributed to this blog) and I have been tasked to provide an identity based architecture to share Dynamics 365 services within a large organisation, but across two ‘internal’ Azure AD tenancies.
Dynamics 365 takes its identity store from Azure AD; if you’re assigned a license for Dynamics 365 in the Azure Portal, including in a ‘B2B’ scenario, you’re granted access to the Dynamics 365 application (as outlined here).  … [Keep reading] “Automatically Provision Azure AD B2B Guest Accounts”

Easier portability of the FIMAutomation powershell snap-in

15th of September, 2017 / / No Comments

I am a fan of Ryan Newington’s MIM PowerShell modules, I think they are like the missing tools that Microsoft should have provided in the box from day one. Sometimes though, for various reasons, we may not have approval or access to use 3rd party or open source code, or other tools may expect exports to be in a specific format.
Using the FIMAutomation PSSnapin is easy … on servers with the MIM Service installed. … [Keep reading] “Easier portability of the FIMAutomation powershell snap-in”

Display Microsoft Identity Manager Sync Engine Statistics in the MIM Portal

15th of September, 2017 / / No Comments

Introduction

In the Microsoft / Forefront Identity Manager Synchronization Service Manager under Tools we have a Statistics Report. This gives a break down of each of the Management Agents and the Connectors on each MA.
I had a recent requirement to expose this information for a customer but I didn’t want them to have to connect to the Synchronization Server (and be given the permissions to allow them to). So I looked into another way of providing a subset of this information in the MIM Portal itself.  … [Keep reading] “Display Microsoft Identity Manager Sync Engine Statistics in the MIM Portal”

Configuring Remote PowerShell to a Remote Active Directory Forest for FIM/MIM GalSync

7th of September, 2017 / / No Comments

Introduction

Windows Remote Management (aka Remote PowerShell) is a wonderful thing; when it works straight out of the box when you’re in the same domain. Getting it working across Forests though can feel like jumping through hoop after hoop, and sometimes like the hoops are on fire.  When configuring GALSync ([Exchange] Global Address List Synchronisation) with FIM/MIM this always means across AD Forests. The graphic below shows the simplest relationship. If there is a firewall(s) in between then you’ll have additional hoops to jump through.… [Keep reading] “Configuring Remote PowerShell to a Remote Active Directory Forest for FIM/MIM GalSync”

MIM2016 Upgrade Hanging on Custom Action – SetPermissionEval

5th of September, 2017 / / No Comments

I was upgrading a client’s environment from FIM2010 R2 to MIM2016, during the upgrade of the Synchronization service, the installer appeared stuck, I waited for over an hour, there was no activity and no progress update. I checked the msi installation log, and found the last activity was CustomAction = SetPermissionEval, ActionType=3073. Other than this, there was no errors or any indication of failures.
msilog
According to this TechNet article, SetPermissionEval sets access permission (ACLs) for file folders, registry, DCOM launch/access permission and WMI.… [Keep reading] “MIM2016 Upgrade Hanging on Custom Action – SetPermissionEval”