SailPoint IdentityNow Active Directory Source TLS Configuration

Recently I needed to enable a SailPoint IdentityNow Active Directory Source to use TLS. Looking for information on how to complete this saw me read many articles in SailPoint Compass. However, none of them were written specifically for IdentityNow Active Directory Source TLS Configuration. Mostly they were for the IQService and Identity IQ. Putting pieces of this information together I got an existing Source (even though it is mentioned this shouldn’t work) updated and working for TLS.… [Keep reading] “SailPoint IdentityNow Active Directory Source TLS Configuration”

Azure AD/Active Directory User Security Evaluation Reporter

During December 2018 – February 2019 Microsoft have run an online Microsoft Graph Security Hackathon on Devpost.

The criteria of the hackathon was;

  • Build or update a functioning Microsoft Graph-powered solution that leverages the Microsoft Graph Security API

Following the announcement of the Hackathon I was encouraged by Kloud management to enter. During the busy month of December I started to formulate a concept for entry in the Hackathon taking learnings from the hackathon I entered in 2018.… [Keep reading] “Azure AD/Active Directory User Security Evaluation Reporter”

Active Directory User Migration in Hybrid Exchange Environment Using ADMT – Part6

Security Translation – Local Profiles and things to consider for end user experience

The last bit of any migration project is to keep the end user experience as simple and smooth as possible. So, by now we have successfully migrated the groups, migrated the users keeping their mailboxes intact and providing them access to all their resources using SID history. As the last bit of the migration I would like to discuss about few things that should be considered from an end user’s perspective to make their experience good when they login to the new domain.… [Keep reading] “Active Directory User Migration in Hybrid Exchange Environment Using ADMT – Part6”

Active Directory User Migration in Hybrid Exchange Environment Using ADMT – Part5

Users Migration

The gun seems to be pretty much loaded with all the ammunition, ready to fire? Probably not yet …

Here I want to discuss about few basic things that are easily missed and can cause the migration to fail or go wrong. Few things worth noting down before getting into the migration:

  • Make sure you have a plan to provide the permissions of file shares that built-in groups in source domain have access to.
[Keep reading] “Active Directory User Migration in Hybrid Exchange Environment Using ADMT – Part5”

Active Directory User Migration in Hybrid Exchange Environment Using ADMT – Part4

Active Directory Groups

Now that we have got our both the AD environments ready to start the migration and installed all the required tools, let’s start moving the objects over. To ensure that we have the proper security structure in place before users are migrated to target domain, we’ll be dealing with Active Directory groups before migrating any of the user objects.

So, what is an AD group? How is the security structure controlled by these groups?… [Keep reading] “Active Directory User Migration in Hybrid Exchange Environment Using ADMT – Part4”

Active Directory User Migration in Hybrid Exchange Environment Using ADMT – Part3

Installation and configuration of ADMT tool and Password Export Server

Now that we have got our active directories in both source and target domain ready for migration, let’s install the tools required for migration.

ADMT Migration Account

The ADMT service account needs to have administrative rights in both source and target domains. It’s a good idea to create a user specifically for the ADMT Migration, however you may still use an existing user if desired. A single service account will be used for the entire migration:

  • In the target domain, create an administrator account

Target Domain:

  • In the source domain add the same user to the built-in Administrators group (it can’t be added directly to domain admins group).
[Keep reading] “Active Directory User Migration in Hybrid Exchange Environment Using ADMT – Part3”

Active Directory User Migration in Hybrid Exchange Environment Using ADMT – Part2

Configuring source and target domains

In the previous post of this series I discussed about the tasks involved in migrating a user from a domain to another in a hybrid exchange environment. Now let’s get down to the nitty-witty of migration.

Before getting into moving the users across to target domain, there are few things that need to be installed and configured in both source and target domain. Let’s start by looking at the configuration steps for source and target domains.… [Keep reading] “Active Directory User Migration in Hybrid Exchange Environment Using ADMT – Part2”

Active Directory User Migration in Hybrid Exchange Environment Using ADMT – Part1

An Introduction and high-level migration approach

Over the past few months I have been working on developing a strategy for migrating users from one domain in a forest to another domain in a separate forest. Sounds quite simple at the first read of it, right? Just use ADMT and migrate the groups, user accounts and profiles, job done? Well that’s what I had thought when I started working on it.

As I started digging more and more into the details, the complexities involved started unfolding.[Keep reading] “Active Directory User Migration in Hybrid Exchange Environment Using ADMT – Part1”

Demystifying Managed Service Identities on Azure

Managed service identities (MSIs) are a great feature of Azure that are being gradually enabled on a number of different resource types. But when I’m talking to developers, operations engineers, and other Azure customers, I often find that there is some confusion and uncertainty about what they do. In this post I will explain what MSIs are and are not, where they make sense to use, and give some general advice on how to work with them.… [Keep reading] “Demystifying Managed Service Identities on Azure”

Identifying Active Directory Users with Pwned Passwords using Microsoft/Forefront Identity Manager v2, k-Anonymity and Have I Been Pwned

Background

In August 2017 Troy Hunted released a sizeable list of Pwned Passwords. 320 Million in fact.
I subsequently wrote this post on Identifying Active Directory Users with Pwned Passwords using Microsoft/Forefront Identity Manager which called the API and sets a boolean attribute in the MIM Service that could be used with business logic to force users with accounts that have compromised passwords to change their password on next logon.
Whilst that was a proof of concept/discussion point of sorts AND  I had a disclaimer about sending passwords across the internet to a third-party service there was a lot of momentum around the HIBP API and I developed a solution and wrote this update to check the passwords locally.… [Keep reading] “Identifying Active Directory Users with Pwned Passwords using Microsoft/Forefront Identity Manager v2, k-Anonymity and Have I Been Pwned”