Where's the source!

26th of July, 2017 / Joshua Rack / No Comments

Sauce In this post I will talk about data (aka the source)! In IAM there’s really one simple concept that is often misunderstood or ignored. The data going out of any IAM solution is only as good as the data going in. This may seem simple enough but if not enough attention is paid to the data source and data quality then the results are going to be unfavourable at best and catastrophic at worst.
With most IAM solutions data is going to come from multiple sources.… [Keep reading] “Where's the source!”

Windows 10 Domain Join + AAD and MFA Trusted IPs

24th of July, 2017 / David Lee / 11 Comments

Background

Those who have rolled out Azure MFA (in the cloud) to non-administrative users are probably well aware of the nifty Trusted IPs feature. For those that are new to this, the short version is that this capability is designed to make it a little easier on the end user experience by allowing you to define a set of ‘trusted locations’ (e.g. your corporate network) in which MFA is not required.
This capability works via two methods:

Defining a set of ‘Trusted” IP addresses.

… [Keep reading]

Resolving Microsoft Identity Manager "sync-rule-validation-parsing-error" error

18th of July, 2017 / Darren Robinson / 2 Comments

A couple of weeks back I inherited a Microsoft Identity Manager development environment that wasn’t quite complete. When I performed a sync on a user object I got the following error; sync-rule-validation-parsing-error

Looking into the error for further details, Details and Stack Trace were both greyed out as shown below.

I looked at the object being exported on the MA and the awaiting export details and found slightly different information. The error was CS to MV to CS synchronization failed 0x8023055a
Still not a lot to go on.… [Keep reading] “Resolving Microsoft Identity Manager "sync-rule-validation-parsing-error" error”

Security Vulnerability Revealed in Azure Active Directory Connect

10th of July, 2017 / hughbadini / No Comments

The existence of a new and potentially serious privilege escalation and password reset vulnerability in Azure Active Directory Connect (AADC) was recently made public by Microsoft.
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-whatis
Fixing the problem can be achieved by means of an upgrade to the latest available release of AADC 1.1.553.0.
https://www.microsoft.com/en-us/download/details.aspx?id=47594
The Microsoft security advisory qualifies the issue as important and was published on Technet under reference number 4033453:
https://technet.microsoft.com/library/security/4033453.aspx#ID0EN
Azure Active Directory Connect as we know takes care of all operations related to the synchronization of identity information between on-premises environments and Active Directory Federation Services (ADFS) in the cloud.… [Keep reading] “Security Vulnerability Revealed in Azure Active Directory Connect”

Resolving the 'Double Auth' prompt issue in ADFS with Azure AD Conditional Access MFA

4th of July, 2017 / David Lee / 2 Comments

As mentioned in my previous post, Using ADFS on-premises MFA with Azure AD Conditional Access, if you have implemented Azure AD Conditional Access to enforce MFA for all your Cloud Apps and you are using the SupportsMFA=true parameter to direct MFA execution to your ADFS on-premises MFA server you may have encountered what I call the ‘Double Auth’ prompt issue.
While this doesn’t happen across all Cloud Apps, you will see it on the odd occasion (in particular the Intune Company Portal and Azure AD Powershell Cmdlets) and it has the following symptoms:

User signs into Azure AD App (e.g.

… [Keep reading]

Using ADFS on-premises MFA with Azure AD Conditional Access

1st of July, 2017 / David Lee / 9 Comments

With the recent announcement of General Availability of the Azure AD Conditional Access policies in the Azure Portal, it is a good time to reassess your current MFA policies particularly if you are utilising ADFS with on-premises MFA; either via a third party provider or with something like Azure MFA Server.
Prior to conditional MFA policies being possible, when utilising on-premises MFA with Office 365 and/or Azure AD the MFA rules were generally enabled on the ADFS relying party trust itself. … [Keep reading] “Using ADFS on-premises MFA with Azure AD Conditional Access”

An Identity Consultants Summary of the recent Cloud Identity Summit 2017

29th of June, 2017 / Darren Robinson / 2 Comments

I’ve just returned from Chicago and the Cloud Identity Summit that was held at the Sheraton Grand Chicago. It was my first CIS conference and reminded me a lot of the now defunct Quest Experts Conference and The Burton Group Conference, both in terms of the content and scale. It definitely had a more intimate feel than the massive Microsoft Ignite category of event which attracts 25k+ attendees. 1400 attendees at CIS was a record for this event, but it still meant you got the 1:1 time with vendors and speakers which is fantastic.… [Keep reading] “An Identity Consultants Summary of the recent Cloud Identity Summit 2017”

Integration of Microsoft Identity Manager with Azure Platform-as-a-Service Services

14th of June, 2017 / Darren Robinson / 1 Comment

Overview

This isn’t an out of the box solution. This is a bespoke solution that takes a number of elements and puts them together in a unique way. I’m not expecting anyone to implement this specific solution (but you’re more than welcome to) but to take inspiration from it to implement solutions relevant to your environment(s). This post supports a presentation I did to The MIM Team User Group on 14 June 2017.
This post describes a solution that;

Leverages an Azure WebApp (NodeJS) to present a simple website.

… [Keep reading]

Migrating 'SourceAnchor' from 'ObjectGUID' using new AAD Connect 1.1.524.0

31st of May, 2017 / Michael Pearn / 9 Comments

I count myself lucky every now and again, for many reasons. I have my health. I have my wonderful family.
Today, however, it’s finding out the latest version of AAD Connect (v1.1.524.0) will probably give me back a few more months of my life.
The reason? My customer’s chosen configuration of their AAD Connect to choose the default value of ‘ObjectGUID’ for their ‘SourceAnchor’ value.
Now, for most organizations with a single AD forest, you’re laughing. … [Keep reading] “Migrating 'SourceAnchor' from 'ObjectGUID' using new AAD Connect 1.1.524.0”

MIM/FIM Full Sync of select objects only

26th of May, 2017 / David Minnelli / 2 Comments

As I detailed in my previous blog here, sometimes there is a need to perform a full synchronization of just a select set of objects in the MIM/FIM Synchronization Service. In my case, it was to all the Synchronization Rules which helped resolve my issue which required a selected Full Synchronization performed. For this customer’s FIM environment, I manually performed the Preview/Full Synchronization on 51 objects as I just needed it done. My colleague Darren Robinson suggested I look at scripting it using the ‘Lithnet PowerShell Module for FIM/MIM Synchronization Service’ located here.… [Keep reading] “MIM/FIM Full Sync of select objects only”