Some advanced ADFS 4.0 branding customization

23rd of May, 2018 / Adeel Nasir / No Comments

As you are aware that you can use some of the PowerShell commands to update the logo, banner/illustration images as well as home, privacy and other links of the ADFS 4.0 home realm discovery or sign in page. Below is an example of doing so
Set-AdfsWebTheme -TargetName custom -Logo @{path=”P:\Theme\Logo\logo.png”}

The above command would update the current logo image on the custom theme.
Set-AdfsGlobalWebContent -HomeLink https://{www.YourWebsite.Com}/ -HomeLinkText Home

Above command would update the “Home” link on all pages of your ADFS theme.… [Keep reading] “Some advanced ADFS 4.0 branding customization”

'Strong Name Verification' Issue with adding new Connectors in AAD Connect

21st of May, 2018 / Michael Pearn / No Comments

I’ve been updating and installing the latest versions of AAD Connect recently (v1.1.750.0 to the latest v1.1.819.0) and noticed that I could not create a brand new custom ‘Connector’ using any of the following out of the box Connector templates:

Generic SQL
Generic LDAP (didn’t happen to me but I’ve seen reports it’s impacting others)
PowerShell
Web Service

The message in the AAD Connect Synchronisation Engine would appear as:
“The extension could not be loaded”
each time I tried to create a Connector with any of the above templates.… [Keep reading] “'Strong Name Verification' Issue with adding new Connectors in AAD Connect”

Display dropdown selection list on AD FS 4.0 Home Realm Discovery page

9th of May, 2018 / Adeel Nasir / No Comments

On AD FS 2.0 or 3.0 home realm discovery page, there was an option to select the AD FS namespace from a dropdown list. But in AD FS 4.0 it has been changed to HTML DIVs and sometimes it can be annoying if you have many (100s) of claims provider trusts available to choose from. So there is a customization required to change the HTML DIVs selection to a dropdown list selection.
Before doing the customizations, the HRD page selection section looks like:

In AD FS 4.0 this customization can be done in an “onload.js”… [Keep reading] “Display dropdown selection list on AD FS 4.0 Home Realm Discovery page”

Deploying a SailPoint IdentityNow Virtual Appliance in Azure

3rd of May, 2018 / Darren Robinson / No Comments

Introduction

The CentOS image that SailPoint provide for the IdentityNow Virtual Appliance that performs integration between ‘Sources’ and IdentityNow is VMWare based. I don’t have any VMWare Infrastructure to run it on and really didn’t want to run up any VMWare environments for this component. All my other infrastructure is in Azure. I’d love to run my VA(s) in Azure too.
In discussions with SailPoint I understand it is simply a case that they haven’t certified their CentOS image on Azure.… [Keep reading] “Deploying a SailPoint IdentityNow Virtual Appliance in Azure”

How to use the FIM/MIM Azure Graph Management Agent for B2B Member/Guest Sync between Azure Tenants

26th of April, 2018 / Darren Robinson / 4 Comments

Introduction

UPDATE: August 2018
As promised below I've finally written up my 
Azure AD B2B Invitation Management Agent. 
You can find it in this post here.

UPDATE: June 2018
When I originally wrote this post the intent was to test
the ability of the Graph MA to export to Azure AD. 
That works.

That then extended to messing with an identity type other 
than member (which works to an extent) but I detailed 
guests. However that is incomplete.

… [Keep reading]

Demystifying Managed Service Identities on Azure

13th of April, 2018 / John Downs / 5 Comments

Managed service identities (MSIs) are a great feature of Azure that are being gradually enabled on a number of different resource types. But when I’m talking to developers, operations engineers, and other Azure customers, I often find that there is some confusion and uncertainty about what they do. In this post I will explain what MSIs are and are not, where they make sense to use, and give some general advice on how to work with them.… [Keep reading] “Demystifying Managed Service Identities on Azure”

Validating a Yubico YubiKeys' One Time Password (OTP) using Single Factor Authentication and PowerShell

20th of March, 2018 / Darren Robinson / No Comments

Multi-factor Authentication comes in many different formats. Physical tokens historically have been very common and moving forward with FIDO v2 standards will likely continue to be so for many security scenarios where soft tokens (think Authenticator Apps on mobile devices) aren’t possible.
Yubico YubiKeys are physical tokens that have a number of properties that make them desirable. They don’t use a battery (so aren’t limited to the life of the battery), they come in many differing formats (NFC, USB-3, USB-C), can hold multiple sets of credentials and support open standards for multi-factor authentication.… [Keep reading] “Validating a Yubico YubiKeys' One Time Password (OTP) using Single Factor Authentication and PowerShell”

Using Microsoft Identity Manager Synchronisation Server's Global Address List Synchronisation feature to create a shared global address book across three Exchange Forests

11th of March, 2018 / Nivlesh Chandra / 3 Comments

First published at https://nivleshc.wordpress.com

Introduction

Over the life of a company, there can be many acquisitions and mergers. During such events, the parent and the newly acquired entities have their IT “merged”. This allows for the removal of redundant systems and the reduction of expenses. It also fosters collaboration between the two entities. Unfortunately, the marriage of the two IT systems, can at times, take a long time.
To enable a more collaborative space between the parent and the newly acquired company, a shared “global address book” can be created, which will allow employees to quickly look up each others contact details easily.… [Keep reading] “Using Microsoft Identity Manager Synchronisation Server's Global Address List Synchronisation feature to create a shared global address book across three Exchange Forests”

Identifying Active Directory Users with Pwned Passwords using Microsoft/Forefront Identity Manager v2, k-Anonymity and Have I Been Pwned

22nd of February, 2018 / Darren Robinson / No Comments

Background

In August 2017 Troy Hunted released a sizeable list of Pwned Passwords. 320 Million in fact.
I subsequently wrote this post on Identifying Active Directory Users with Pwned Passwords using Microsoft/Forefront Identity Manager which called the API and sets a boolean attribute in the MIM Service that could be used with business logic to force users with accounts that have compromised passwords to change their password on next logon.
Whilst that was a proof of concept/discussion point of sorts AND I had a disclaimer about sending passwords across the internet to a third-party service there was a lot of momentum around the HIBP API and I developed a solution and wrote this update to check the passwords locally.… [Keep reading] “Identifying Active Directory Users with Pwned Passwords using Microsoft/Forefront Identity Manager v2, k-Anonymity and Have I Been Pwned”

Using MIMWAL to mass update users

20th of February, 2018 / Robin Frousheger / 1 Comment

The generalised Workflow Activity Library for Microsoft Identity Manager (MIMWAL) is not particularly new, but I’m regularly finding new ways of using it.
TL;DR: [//Queries/Key/Attribute] can be used as a target to update multiple accounts at once
Working from colleague Michael’s previous post Introduction to MIM Advanced Workflows with MIMWAL (Update Resource workflow section), user accounts can be populated with location details when a location code is set or updated.
But, consider the question: what happens when the source location object is updated with new details, without moving the user between locations?… [Keep reading] “Using MIMWAL to mass update users”