Consuming CSV files from an Exchange Mailbox via Exchange Web Services and FIM/MIM 2016 using the Granfeldt PowerShell MA

30th of March, 2016 / / No Comments

This solution on first look is quite random. A management agent that consumes a flat file (comma separated file) isn’t ground breaking, but when the twist is that the CSV file is in an email in an Exchange Inbox, it’s quite a different scenario.

Background

My customer uses a Cloud Service for their recruitment processes. The cloud service does have a SOAP API that I could potentially develop a FIM/MIM solution for using the Microsoft Web Services Management Agent, however my customer does not have API access to their tenant, the vendor isn’t overly responsive and I need a solution in days not weeks.… [Keep reading] “Consuming CSV files from an Exchange Mailbox via Exchange Web Services and FIM/MIM 2016 using the Granfeldt PowerShell MA”

Managing SharePoint Online (SPO) User Profiles with FIM/MIM 2016 and the Granfeldt PowerShell MA

22nd of March, 2016 / / 5 Comments

Forefront / Microsoft Identity Manager does not come with an out-of-the-box management agent for managing SharePoint Online.

Whilst the DirSync/AADConnect solution will allow you to synchronise attributes from your On Premise Active Directory to AzureAD, SharePoint only leverages a handful of them. It then has its own set of attributes that it leverages. Many are similarly named to the standard Azure AD attributes but with the SPS- prefix.

For example, here is a list of SPO attributes and a couple of references to associated Azure AD attributes;

  • UserProfile_GUID
  • SID
  • SPS-PhoneticFirstName
  • SPS-PhoneticLastName
  • SPS-PhoneticDisplayName
  • SPS-JobTitle
  • SPS-Department
  • AboutMe
  • PersonalSpace
  • PictureURL
  • UserName
  • QuickLinks
  • WebSite
  • PublicSiteRedirect
  • SPS-Dotted-line
  • SPS-Peers
  • SPS-Responsibility
  • SPS-SipAddress
  • SPS-MySiteUpgrade
  • SPS-ProxyAddresses
  • SPS-HireDate
  • SPS-DisplayOrder
  • SPS-ClaimID
  • SPS-ClaimProviderID
  • SPS-ClaimProviderType
  • SPS-SavedAccountName
  • SPS-SavedSID
  • SPS-ResourceSID
  • SPS-ResourceAccountName
  • SPS-ObjectExists
  • SPS-MasterAccountName
  • SPS-PersonalSiteCapabilities
  • SPS-UserPrincipalName
  • SPS-O15FirstRunExperience
  • SPS-PersonalSiteInstantiationState
  • SPS-PersonalSiteFirstCreationTime
  • SPS-PersonalSiteLastCreationTime
  • SPS-PersonalSiteNumberOfRetries
  • SPS-PersonalSiteFirstCreationError
  • SPS-DistinguishedName
  • SPS-SourceObjectDN
  • SPS-FeedIdentifier
  • SPS-Location
  • Certifications
  • SPS-Skills
  • SPS-PastProjects
  • SPS-School
  • SPS-Birthday
  • SPS-Interests
  • SPS-StatusNotes
  • SPS-HashTags
  • SPS-PictureTimestamp
  • SPS-PicturePlaceholderState
  • SPS-PrivacyPeople
  • SPS-PrivacyActivity
  • SPS-PictureExchangeSyncState
  • SPS-TimeZone
  • SPS-EmailOptin
  • OfficeGraphEnabled
  • SPS-UserType
  • SPS-HideFromAddressLists
  • SPS-RecipientTypeDetails
  • DelveFlags
  • msOnline-ObjectId
  • SPS-PointPublishingUrl
  • SPS-TenantInstanceId

My customer has AADConnect in place that is synchronising their On Premise AD to Office 365.… [Keep reading] “Managing SharePoint Online (SPO) User Profiles with FIM/MIM 2016 and the Granfeldt PowerShell MA”

HRESULT: 0x8023063D when attempting to run multiple Sync Run Profiles in MIM/FIM after applying rollup build 4.3.2124.0

15th of March, 2016 / / 6 Comments

A new hotfix rollup was released on the 11th of March Microsoft Identity Manager contains a number of fixes and some new functionality.

It appears that it also contains a new bug. Information about this came to my attention from Ryan Newington

The bug kicks in if you’re trying to run sync sequences on multiple MA’s simultaneously. It throws the error; “Unable to run the management agent.” Exception from HRESULT: 0x8023063D

The screenshot below shows the error when attempting to run a Full Synchronization on an MA when another MA is already running a Full Synchronization.… [Keep reading] “HRESULT: 0x8023063D when attempting to run multiple Sync Run Profiles in MIM/FIM after applying rollup build 4.3.2124.0”

Creating Microsoft Identity Manger (MIM) Run Profiles using PowerShell (post MIM rollup build 4.3.2124.0)

15th of March, 2016 / / 2 Comments

A new hotfix rollup was released on the 11th of March for Microsoft Identity Manager that contains a number of fixes and some new functionality.

One new feature according to the release notes is a new cmdlet Add-MIISADMARunProfileStep

This cmdlet allows the creation of MIM Synchronisation Management Agent Run Profiles using PowerShell.

From the MS Documentation

Add-MIISADMARunProfileStep -MAName ‘AD_MA’ -Partition ‘DC=CONTOSO,DC=COM’ -StepType ‘FI’ -ProfileName ‘ADMA_FULLIMPORT’

Possible values of the StepType parameter (short form or long one can be used):
“FI”, “FULL IMPORT”
“FS”, “FULL SYNCHRONIZATION”
“FIFS”, “FULL IMPORT AND FULL SYNCHRONIZATION”
“FIDS”, “FULL IMPORT AND DELTA SYNCHRONIZATION”
“DI”, “DELTA IMPORT”
“DS”, “DELTA SYNCHRONIZATION”
“DIDS”, “DELTA IMPORT AND DELTA SYNCHRONIZATION”
“EXP”,”EXPORT”

The neat feature of this cmdlet is that it will create the Run Profile if it doesn’t exist.… [Keep reading] “Creating Microsoft Identity Manger (MIM) Run Profiles using PowerShell (post MIM rollup build 4.3.2124.0)”

AAD Connect: Custom AAD Attributes & Scheduler PowerShell

10th of March, 2016 / / 3 Comments

Following on from the posts from my esteemed colleagues: Lucian and Josh, I thought I’d post my experiences working with the latest version (v1.1.110.0) specifically two areas:

  1. Working with the AAD Connect Scheduler, that is now based in Powershell and whose configuration is now stored in AAD, using the ‘Set-ADSyncScheduler’ commands
  2. Working with ‘extension Attributes’ using Directory Extensions feature of AAD Connect

Both of these features are new to the latest version of AAD Connect.… [Keep reading] “AAD Connect: Custom AAD Attributes & Scheduler PowerShell”

Azure AD Connect manual sync cycle with powershell, Start-ADSyncSyncCycle

8th of March, 2016 / / 4 Comments

This morning at Kloud NSW HQ (otherwise known as the Kloud office, or the office, or anything else that does not sound cool or interesting at all) James Lewis (@Jimmy_Lewis on Twitter) asked the question:

What is the powershell cmdlet to kick off a manual sync in AADConnect?

Back in the olden days, as they say, in DirSync there was a powershell cmdlet called:

Start-OnlineCoexistenceSync

As Microsoft do often times, this cmdlet has changed. However, the reason this has changed is because of the way the sync process is now handled in AADConnect. The AADConnect Sync Scheduler has come about to replace the pre-existing process of an external sync engine tied to a Windows service and Windows task scheduler.

The new scheduler is responsible to complete two key tasks: run and manage the synchronisation cycle where import, sync and export processes are looked after; and to complete regular maintenance tasks, like for example renew certificates and keys for password reset and device registration (DRS), to name a few.

Read More

Office 365 – AADSTS50008: SAML token is invalid

4th of March, 2016 / / 6 Comments

If you’ve made it to this post because you are troubleshooting your AD FS sign in with Office 365 due to “AADSTS50008: SAML token is invalid” I still recommend you do all the standard troubleshooting steps provided in this article below the image:

AADSTS50008https://support.microsoft.com/en-us/kb/3015526

Generally speaking, if you’re getting issued a token from your AD FS server and Microsoft’s STS is stopping you from logging in, it would be because of your token signing certificate:

Has your Token-Signing Certificate changed since you last told Microsoft?

[Keep reading] “Office 365 – AADSTS50008: SAML token is invalid”

Feb 2016 Azure AD Connect Upgrade Fails – IndexOutOfRangeException resolution

26th of February, 2016 / / 3 Comments

I’ve been doing some work for a client recently who decided to upgrade their Azure AD Connect appliance to the latest February release. This was a prerequisite task for future work to follow. As an aside, it’s always nice to run the current version of the sync client. Microsoft regularly update the client to provide new features and improvements. A key driver for this client in particular was the fact that the new client (1.1.105.0 – Released 16/2/2016) will allow you to synchronise every 30 minutes, which is a welcome change from the previous 3-hour sync cycles.… [Keep reading] “Feb 2016 Azure AD Connect Upgrade Fails – IndexOutOfRangeException resolution”

Using Active Directory Security Groups to Grant Permissions to Azure Resources

18th of February, 2016 / / 4 Comments

The introduction of the Azure Resource Manager platform in Azure continues to expose new possibilities for managing your deployed resources.

One scenario that you may not be aware of is the ability to use scoped RBAC role assignments to grant limited rights to Azure AD-based users and groups.

We know Azure provides us with many built-in RBAC roles, but it may not be immediately obvious that you can control their assignment scope.

What do I mean by this?… [Keep reading] “Using Active Directory Security Groups to Grant Permissions to Azure Resources”

Good practices for implementing a healthy Azure Active Directory identity foundation

8th of February, 2016 / / No Comments

Originally posted on Lucian.Blog. Follow Lucian on Twitter @LucianFrango for daily doses of cloud.

This is part frustrated (mild) rant, part helpful hint and like the title says: part public service announcement. While I am most definitely a glass is half full kind of person, and I don’t get stressed out much or phased by pressure much, I, like anyone, do get annoyed with certain things. Let’s start with a quick vent before continuing on with the public service announcement.

Rather then just have a rant or a whinge, let me explain the situation and by doing so I’ll most likely vent some frustration.

Deploying a Hybrid Exchange environment to integrate with Exchange Online in Office 365 can be a behemoth of a task if you lack certain things. While anyone can say any number of criteria or list off important considerations, pre-requisites or requirements, I feel that there is only one thing that needs to be addressed. One thing that sticks in my mind as being the foundation of the endeavour.

Just like the old saying goes “you can’t build a strong house on weak foundations”; the same applies to that initial journey to the cloud.

I say initial journey, as for many organisations that first step after setting up a website, which can be the beginning to being a cloud-focused organisation, Office 365 is truly the first step to move infrastructure, process and systems to the cloud that I see happen the most.

Importantly though is to realise that as amazing and full of features as Office 365 is, deploying a Hybrid environment to leverage what I consider the best of both worlds, a hybrid identity, all that matters is the existing Active Directory Domain Services (ADDS) environment. That is ALL THAT MATTERS.

Step aside Active Directory Federation Services (ADFS) and Azure AD Connect (AADConnect) or even Hybrid Exchange Server 2016 itself. All those components sit on top of the foundation of the existing identity and directory services that is the ADDS environment.

ADDS is so crucial as it key link in the chain, so much so that if it has issues, the entire project can easily and quickly run into trouble and delays. Delays lead to cost. Delays lead to unhappy management. Delays lead to unhappy users. Delays lead to the people working on the project going grey.

I remember a time when I had blonde curly hair. I grew out of that and as I got older my hair darkened to a rich, chocolate (at least 70% cocoa) brown. Now, as each project gets notched on my belt, slowly, the slick chocolate locks are giving way to the odd silky, white sign that there’s not enough emphasis on a well-managed and organised ADDS.

Read More