How to Synchronize users Active Directory/Azure Active Directory Photo using Microsoft Identity Manager

23rd of May, 2017 / / No Comments

Introduction

Whilst Microsoft FIM/MIM can be used to do pretty much anything your requirements dictate, dealing with object types other than text and references can be a little tricky when manipulating them the first time. User Profile Photos fall into that category as they are stored in the directory as binary objects. Throw in Azure AD and obtaining and synchronizing photos can seem like adding a double back-flip to the scenario.
This post is Part 1 of a two-part post.… [Keep reading] “How to Synchronize users Active Directory/Azure Active Directory Photo using Microsoft Identity Manager”

Using the Lithnet PowerShell Modules to generate full object metadata FIM/MIM HTML Reports

11th of May, 2017 / / No Comments


How many times have you wanted a consolidated report out of FIM/MIM for an object? What connectors does it have, what are the values of the attributes, which Management Agent contributed the value(s) and when? Individually of course you can get that info using the Metaverse Search and looking at the object in MIM Portal. But what if you wanted it all with a single query? This blog post provides an approach to doing just that.… [Keep reading] “Using the Lithnet PowerShell Modules to generate full object metadata FIM/MIM HTML Reports”

Scripting queries for Lithnet Get-MVObject searches into the Microsoft Identity Manager Metaverse

10th of May, 2017 / / No Comments

It probably seems obvious by now, but I seem to live in PowerShell and Microsoft Identity Manager. I’m forever looking into the Microsoft Identity Manager Metaverse for objects.
However, sometimes I get tripped up by the differences in Object Classes between the FIM/MIM Service and the Metaverse, the names of the Object Classes (obviously not Person, Group and Contact) and in situations where they are case-sensitive.  If you’re using the Sync Service Manager Metaverse Search function though you get a pick list.… [Keep reading] “Scripting queries for Lithnet Get-MVObject searches into the Microsoft Identity Manager Metaverse”

MfaSettings.xml updates not taking effect

6th of May, 2017 / / No Comments

First published at https://nivleshc.wordpress.com
Last week, I was at a client site, extending their Microsoft Identity Manager (MIM) 2016 Self Service Password Reset Solution so that it could use Azure MultiFactor Authentication (MFA). This is an elegant solution since instead of using Questions and Answers to authenticate yourself when trying to reset your password, you can use One Time Passwords (OTP), sent as a security code via a text message to your registered mobile device.
I followed the steps as outlined in https://github.com/Microsoft/MIMDocs/blob/master/MIMDocs/DeployUse/working-with-self-service-password-reset.md[Keep reading] “MfaSettings.xml updates not taking effect”

Scripting the generation & creation of Microsoft Identity Manager Sets/Workflows/Sync & Management Policy Rules with the Lithnet Resource Management PowerShell Module

26th of April, 2017 / / 2 Comments

Introduction

Yes, that title is quite a mouthful. And this post is going to be quite long. But worth the read if you are having to create a number of rules in Microsoft/Forefront Identity Manager, or even more so the same rule in multiple environments (eg. Dev, Staging, Production).
My colleague David Minnelli introduced using the Lithnet RMA PowerShell Module and the Import-RMConfig cmdlet recently for bulk creation of MIM Sets and MPR’s. David has a lot of the background on Import-RMConfig and getting started with it.… [Keep reading] “Scripting the generation & creation of Microsoft Identity Manager Sets/Workflows/Sync & Management Policy Rules with the Lithnet Resource Management PowerShell Module”

FIM: An object with DN "CN=BLAH" already exists in management agent "BLAH MA"

26th of April, 2017 / / 3 Comments

If you treat the FIM Synchronization Service well and your configuration is good, it will reward you and the ‘magic’ will happen. At my customer site, the ‘magic’ stopped working and I was faced with an increasing number of synchronization errors being ‘An object with DN “CN=<blah>” already exists in management agent “<blah> MA” ‘. For users that were already provisioned correctly, the FIM Synchronization Service was attempting to re-provision a duplicate object in the destination directory but obviously the account already existed.… [Keep reading] “FIM: An object with DN "CN=BLAH" already exists in management agent "BLAH MA"”

FIM: An object with DN "CN=BLAH" already exists in management agent "BLAH MA"

26th of April, 2017 / / No Comments

If you treat the FIM Synchronization Service well and your configuration is good, it will reward you and the ‘magic’ will happen. At my customer site, the ‘magic’ stopped working and I was faced with an increasing number of synchronization errors being ‘An object with DN “CN=<blah>” already exists in management agent “<blah> MA” ‘. For users that were already provisioned correctly, the FIM Synchronization Service was attempting to re-provision a duplicate object in the destination directory but obviously the account already existed.… [Keep reading] “FIM: An object with DN "CN=BLAH" already exists in management agent "BLAH MA"”

Diagnosing FIM/MIM 'kerberos-no-logon-server' error on an Active Directory Management Agent

24th of April, 2017 / / 1 Comment

Overview

I have a complex customer environment where Microsoft Identity Manager is managing identities across three Active Directory Forests. The Forests all serve different purposes and are contained in different network zones. Accordingly there are firewalls between the zone where the MIM Sync Server is located and two of the other AD Forests as shown in the graphic below.

As part of the project the maintainers of the network infrastructure had implemented rules to allow the MIM Sync server to connect to the other two AD Forests.… [Keep reading] “Diagnosing FIM/MIM 'kerberos-no-logon-server' error on an Active Directory Management Agent”

An alternate method for dealing with Orphaned MetaVerse Objects

20th of April, 2017 / / No Comments

Update 21 April ’17. The LithnetMIISAutomation PS Module now has a -Force switch for Delete-CSObject
As often happens in development environments, data changes, configurations change and at some point you end up with a whole bunch of objects that are in no-mans land. This happened to me today. I had thousands of objects that we basically empty but had previously triggered to be exported to the MIM Service prior to them actually being deleted from the source management agent.… [Keep reading] “An alternate method for dealing with Orphaned MetaVerse Objects”

Bulk create and update related configuration objects in FIM/MIM using the Lithnet Import-RMConfig cmdlet

12th of April, 2017 / / 3 Comments

Working on a FIM implementation for a customer, I needed to bulk create and update a number of related Sets and MPRs which granted permissions to users. I could have performed this task a number of ways:

  • Manually create and update all objects
  • Scripted in PowerShell using FIM Automation
  • Scripted using the Lithnet FIM/MIM Service PowerShell Module

I’ve been successfully using the Lithnet FIM/MIM Service PowerShell Module in a number of scripts to query and bulk create objects in the FIM Service which has greatly improved the quality and simplicity of my PowerShell scripts compared to using the FIM Automation module.… [Keep reading] “Bulk create and update related configuration objects in FIM/MIM using the Lithnet Import-RMConfig cmdlet”