Quantcast
Channel: Forum Microsoft Identity Manager
Viewing all 6657 articles
Browse latest View live

MIM 2016 to use for GALSync between 2x Exchange 2010 SP3

$
0
0

Hi all,

My question is very simple:

If I want to use MIM 2016 to run GalSync between 2x Exchange 2010 SP3 located in 2x forests (with interforest trust), do I need to install Sharepoint at all?

Thanks in advance.


Workflow for notification of criteria based group or set membership change

$
0
0

I've tried to search for something like this, but I haven't been able to find anything relevant.  I've seen hints that it's not supported, but nothing specific to what i'm trying to do.  I'm running the latest update of MIM 2016 with MIMWAL.

What I want to do is have a set or group of users with a criterion that changes somewhat regularly.  I want changes in that set/group membership to be emailed to specific people or DLs (i.e. static, not like a "welcome" email to new members of the group).

Is that something I can do without going to lengths like sending a members attribute out to SQL server to be split and imported back into a separate multivalue attribute?


MIM Sync

$
0
0

Hi,

I have two questions of similar kind. I know we can sync data from on-premises AD to MIM portal andvice-versa. Also we can sync data from on-premises AD to SQL, But:

1. Can we sync data from SQL DB to AZURE AD?

  1a. If yes, how?

  1b. If no, what are the other ways?

2. Can we sync data from SQL DB to On-premises AD?

Thanks

MIM Portal not opening on Chrome Error "Service Not Available"

$
0
0

I have an on-Prem installation for Microsoft Identity Manager 2016 SP1 With 3 Servers as below

  1. Sync Server
  2. Service Server
  3. Portal Server on SharePoint 2013 Foundation

portal works perfect on IE but when we open from chrome it shows Service not available. there are no events on Service server but Portal server shows event as middle tier not available in Event Viewer.

Service Account and Portal Pool account are the same and all SPN are set on the server name of portal , Server name of service, Service Address and portal address and delegate to any Kerberos Service.

Appreciate your quick Response

How do I remove parents off my microsoft account?

$
0
0
I received my xbox as a gift when I was living away from home with my dad and step mum. In turn I must of had to set up a Microsoft account and somehow they must be the adults on it. I now live back with my mum and family problems mean I no longer want to speak with my dad and step mum. I recently bought a new laptop and I tried to download chrome and realised I need to ask parent permission. They are going to ignore the email for sure and I do not wish to speak to them about removing themselves from my account. I am now 17 and practically an adult and do not want to have to rely on them for anything. I have so much game progress and things on my account. Is there a way for me to remove them without having to set up a whole new account? Cheers, Tiana.

User is not allowed to access application Azure Portal due to Legal Age Group Requirement

$
0
0

Hi

I chose by mistake in Azure Portal administrators profile MINOR, not ADULT! (that was very silly)

Now I cannot sign in and can't i get support services etc, DO NOTHIG

In sign in  process I get this error message: AADSTS54000: User is not allowed to access application Azure Portal due to Legal Age Group Requirement of application Windows Azure Service Management API.

Can anyone help me?

Please! 

I chose by mistake
I chose by mistake
I chose by mistake

Set Account Expiry for contractors

$
0
0

Dear All,

I am trying to set EmployeeEndDate by using following query. but the problem is time. 

DateTimeAdd(DateTimeNow(),"180.00:00:00.0"). 

its adding current time in the employeeEndDate. want to add fixed time

Thanks in Advance,

Shashidhar Joliholi

How do we install the "Application Server" role features required by MIM 2016 on Windows 2016 server?

$
0
0

I am trying to get MIM 2016 installed on a Windows Server 2016 Standard host.

I follow the deploy MIM 2016 guide as provided by Microsoft.

In the setup Windows Server section of https://docs.microsoft.com/en-us/microsoft-identity-manager/prepare-server-ws2016

I am asked to add the Application Server role. This is deprecated in Windows Server 2016 although the guide is guiding you on Windows Server 2016!!!

In section 7 it says run these PS commands:

import-module ServerManager
Install-WindowsFeature Web-WebServer, Net-Framework-Features,rsat-ad-powershell,Web-Mgmt-Tools,Application-Server,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer –includeallsubfeature -restart -source d:\sources\SxS

Seriously WTF Microsoft?

What features are required here.


Azure Security - Support needed urgently

$
0
0

Hi All,

We want to systematically check the existing configuration and status. 
     Example, to check the AAD connect health status whether Healthy or not. 

 So need suggestion on whether AAD logs are configured to push for azure Monitor. 
Any powershell commandlets or graph API exposed these details?

1)      How to configure controls/custom policies in azure active directory to configure diagnostic log delivery?
2)      How to create custom policy to health monitoring? (Powershell or Graph API can achieve this?)

Thank you. Awaiting the response.


Possible bug: MIM 2016 PAM and removal of Shadow Principal membership

$
0
0

TL;DR: 
Users do not get removed from shadow principals by PAM Component Service upon manual deactivation of PAM role membership. Removal from regular security groups works as intended. TTL based group membership also works. Correct access has been granted to the service account. 


So I have a 2016 AD domain/forest (PRIV) with MIM 2016 SP1 and PAM configured (4.4.1302.0). I also have a 2012 domain (CORP - One-way trust). 

I have configured PAM groups and roles using the cmdlets, which creates a shadow principal object as expected. Any access requests through the API results in the user being added to the shadow principal (with a TTL as expected). So far so good.

But if the role is manually deactivated before the TTL has expired, I can see all the request go through successfully (the TTL of the PAM request is set to 0 and it is expired). However the user is never removed from the shadow principal by the PAM Component service. Yes, the service account has been granted the proper permissions to do so, and no failure audit is logged. It simply seems as it never even tries to remove it from the shadow principal at all. The ETW trace shows a few log messages saying that it found an expired/closed membership and that the user was removed from the shadow principal, so it knows that it's dealing with a shadow principal and not a security group at this stage. 

"User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed fromshadow principal CORP.GroupName (SID 'S-1-5-21-CORP-SID-131870')"

However no removal (or failure events in MIM/Event logs) actually occur. 

If I on the other hand create a regular security group and assign a role to it, the above procedure works. The user is added to the group when requested, and if the request is manually closed, the user is removed from the security group by the PAM Component service. 

User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed from group GroupName (SID 'S-1-5-21-PRIV-SID-3106')

So in other words, log wise everything looks OK, but when it's dealing with a shadow principal nothing actually happens even though the logs state that 'the user was removed'. 

Has anyone else run into this and perhaps can shed some light on this behavior? 


Andreas


Web Application Proxy (WAP) 2016 http to https Re-direct

$
0
0

Hi Guys,

Just setup a new ADFS server and WAP 2016 server. All is working as expected except http to https redirect. We have an internal website which needs to be accessed externally.  In order to achieve this I used pass-through authentication and published the URL.  Now when I go to the external URL (https://subdomain.domain.co.uk) I can get to to the site.  To make this more user friendly, what I am trying to achieve is that the user can type in subdomain.domain.co.uk from the browser and they are automatically re-directed to the https URL.

The WAP server is in our DMZ, originally only had port 443/HTTPS traffic allowed to it. Our network guys have allowed port 80/HTTP now as well to this server. I would of thought by browsing to the URL on http the traffic would of been re-directed? Have I missed something here? 

Sorengranfelft MA Update Photo in Azure fails Replace Error

$
0
0

I have a powershell MA from. It fails on export updating photo

Any idea?  Worked on a different environment.

Error Name : Replace-Error
Error Details : System.InvalidOperationException: Management agent MicrosoftGraphwas not found
   at Lithnet.Miiserver.Client.ManagementAgent.MANameToID(String name)
   at Lithnet.Miiserver.Client.ManagementAgent.GetManagementAgent(String name)
   at Lithnet.Miiserver.Automation.MiisController.GetManagementAgent(String name, Boolean reload)
   at Lithnet.Miiserver.Automation.GetCSObject.ProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
Result : Microsoft Graph response passed back to the MA


Nosh Mernacaj, Identity Management Specialist

PAM 2016 Transition a group to Privileged Access Management

Windows Server 2016 Domain/Forest Functional Level and FIM 2010 R2

$
0
0

Good morning,

This is a supported platform enquiry as we are aware that technically only 2008R2, 2012 and 2012R2 environments are supported by FIM 2010. There are plans to migrate to MIM 2016 however timeframes on this are uncertain and we are curious as to possible impact on this service in the following scenario:

 

Environment – FIM 2010 R2 running on Windows Server 2012, running in a domain called CONNECT, running with a combination of Windows 2008 R2 and Windows 2016 domain controllers.

 

FIM utilises an Active Directory Domain Services MA to only read information from a number of other “agency” active directories into the FIM metaverse. These ADs are currently at a variety of functional levels.

 

This information is then written from the metaverse into the CONNECT AD using another Active Directory Domain Services MA.

 

1. If one of the agencies replaces all of their DCs with Windows Server 2016 (or higher), will FIM continue to be able to read their data into the metaverse?

 

2. If only Windows 2016 domain controllers remain in the CONNECT domain (with or without a functional level increase), will FIM continue to function normally?

 

Hopefully I've provided enough information for a considered answer.

Thanks for your time,

Cheers, PF.

PAM 2016 Transition a group to Privileged Access Management


Replacing MIM Management Agent

$
0
0

Hi,

I have a scenario, where i have to replace a Web service management agent with SQL Management management agent. both are configured to have same attributes.

what is the best practice approach to replace MA with out affecting the Metaverse date

Sync users in their OU's

$
0
0

Hello,

I have an infrastructure with 2 Active Directory domains and 1 MIM where my company is syncing users, contacts, groups and OU.

It's configured as :

Source AD (domain: examplesource.local) ----> MIM Metaverse ----> Dest. AD (domain: exampledest.local)

For the objects that are in a OU existing on both domain, they are created and are joining the correct OU.

Unfortunately, some OU's are not existing and I would like MIM to create them automatically when it syncs objects of that OU. 

In both MA, I already configured Hierarchy provisionning and mapped "ou" and "organizationalUnit".

Is there something that I am missing ?

Thanks.

Sincerely,

Kylian

MIM Portal not Accessible after MIM SP1 to SP2

$
0
0

HI All,

We have upgraded MIM Sp1 to SP2 by applying patches(downloaded from Microsoft website).But after upgrade, MIM portal is not accessible and page is redirecting to "_layout/MSILM2/Errorpage.aspx".

Kindly help here.

Thanks,

Deb

How to display the old and the values in emails

$
0
0
Hi.

I'm trying to send an email after e.g. user's last name is changed and I want to show the old and the new values in email like this:

"Your name was Kim Westwood , now it's Kim Eastwood ."

I have tried to use [//RequestParameter/AllChangesActionTable] but it just shows the new value.

How do I do this?

Thanks.

MIM 2016 GAL Sync - Contacts not created

$
0
0

Hi.

I'm working with MIM 2016 in a lab environment. 

I'm probably missing a step, but I can't seem to get MIM 2016 to create contacts in the OUs of each domain. I have two untrusted domains, contoso and wingtoys. I setup MIM in contoso and created a managment agent for both domains. I ran full import and sync, and I ran export.

When I check Metaverse Search in MIM, I see all the email accounts from both domains, but these are not showing up in AD as contacts, or in the Exhange Address book. What do I need to do to get these into AD?

Viewing all 6657 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>