Hi all,
My question is very simple:
If I want to use MIM 2016 to run GalSync between 2x Exchange 2010 SP3 located in 2x forests (with interforest trust), do I need to install Sharepoint at all?
Thanks in advance.
Hi all,
My question is very simple:
If I want to use MIM 2016 to run GalSync between 2x Exchange 2010 SP3 located in 2x forests (with interforest trust), do I need to install Sharepoint at all?
Thanks in advance.
I've tried to search for something like this, but I haven't been able to find anything relevant. I've seen hints that it's not supported, but nothing specific to what i'm trying to do. I'm running the latest update of MIM 2016 with MIMWAL.
What I want to do is have a set or group of users with a criterion that changes somewhat regularly. I want changes in that set/group membership to be emailed to specific people or DLs (i.e. static, not like a "welcome" email to new members of the group).
Hi,
I have two questions of similar kind. I know we can sync data from on-premises AD to MIM portal andvice-versa. Also we can sync data from on-premises AD to SQL, But:
1. Can we sync data from SQL DB to AZURE AD?
1a. If yes, how?
1b. If no, what are the other ways?
2. Can we sync data from SQL DB to On-premises AD?
Thanks
I have an on-Prem installation for Microsoft Identity Manager 2016 SP1 With 3 Servers as below
portal works perfect on IE but when we open from chrome it shows Service not available. there are no events on Service server but Portal server shows event as middle tier not available in Event Viewer.
Service Account and Portal Pool account are the same and all SPN are set on the server name of portal , Server name of service, Service Address and portal address and delegate to any Kerberos Service.
Appreciate your quick Response
Hi
I chose by mistake in Azure Portal administrators profile MINOR, not ADULT! (that was very silly)
Now I cannot sign in and can't i get support services etc, DO NOTHIG
In sign in process I get this error message: AADSTS54000: User is not allowed to access application Azure Portal due to Legal Age Group Requirement of application Windows Azure Service Management API.
Can anyone help me?
Please!
Dear All,
I am trying to set EmployeeEndDate by using following query. but the problem is time.
DateTimeAdd(DateTimeNow(),"180.00:00:00.0").
its adding current time in the employeeEndDate. want to add fixed time
Thanks in Advance,
Shashidhar Joliholi
I am trying to get MIM 2016 installed on a Windows Server 2016 Standard host.
I follow the deploy MIM 2016 guide as provided by Microsoft.
In the setup Windows Server section of https://docs.microsoft.com/en-us/microsoft-identity-manager/prepare-server-ws2016
I am asked to add the Application Server role. This is deprecated in Windows Server 2016 although the guide is guiding you on Windows Server 2016!!!
In section 7 it says run these PS commands:
import-module ServerManager
Install-WindowsFeature Web-WebServer, Net-Framework-Features,rsat-ad-powershell,Web-Mgmt-Tools,Application-Server,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer –includeallsubfeature -restart -source d:\sources\SxS
Seriously WTF Microsoft?
What features are required here.
Hi All,
We want to systematically check the existing configuration and status.
Example, to check the AAD connect health status whether Healthy or not.
1) How to configure controls/custom policies in azure active directory to configure diagnostic log delivery?
2) How to create custom policy to health monitoring? (Powershell or Graph API can achieve this?)
Thank you. Awaiting the response.
TL;DR:
Users do not get removed from shadow principals by PAM Component Service upon manual deactivation of PAM role membership. Removal from regular security groups works as intended. TTL based group membership also works. Correct access has been granted to the
service account.
So I have a 2016 AD domain/forest (PRIV) with MIM 2016 SP1 and PAM configured (4.4.1302.0). I also have a 2012 domain (CORP - One-way trust).
I have configured PAM groups and roles using the cmdlets, which creates a shadow principal object as expected. Any access requests through the API results in the user being added to the shadow principal (with a TTL as expected). So far so good.
But if the role is manually deactivated before the TTL has expired, I can see all the request go through successfully (the TTL of the PAM request is set to 0 and it is expired). However the user is never removed from the shadow principal by the PAM Component service. Yes, the service account has been granted the proper permissions to do so, and no failure audit is logged. It simply seems as it never even tries to remove it from the shadow principal at all. The ETW trace shows a few log messages saying that it found an expired/closed membership and that the user was removed from the shadow principal, so it knows that it's dealing with a shadow principal and not a security group at this stage.
"User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed fromshadow principal CORP.GroupName (SID 'S-1-5-21-CORP-SID-131870')"
However no removal (or failure events in MIM/Event logs) actually occur.
If I on the other hand create a regular security group and assign a role to it, the above procedure works. The user is added to the group when requested, and if the request is manually closed, the user is removed from the security group by the PAM Component service.
User 'sAMAccountName', (Priv SID 'S-1-5-21-PRIV-SID-1688') was removed from group GroupName (SID 'S-1-5-21-PRIV-SID-3106')
So in other words, log wise everything looks OK, but when it's dealing with a shadow principal nothing actually happens even though the logs state that 'the user was removed'.
Has anyone else run into this and perhaps can shed some light on this behavior?
Andreas
Hi Guys,
Just setup a new ADFS server and WAP 2016 server. All is working as expected except http to https redirect. We have an internal website which needs to be accessed externally. In order to achieve this I used pass-through authentication and published the URL. Now when I go to the external URL (https://subdomain.domain.co.uk) I can get to to the site. To make this more user friendly, what I am trying to achieve is that the user can type in subdomain.domain.co.uk from the browser and they are automatically re-directed to the https URL.
The WAP server is in our DMZ, originally only had port 443/HTTPS traffic allowed to it. Our network guys have allowed port 80/HTTP now as well to this server. I would of thought by browsing to the URL on http the traffic would of been re-directed? Have I missed something here?
I have a powershell MA from. It fails on export updating photo
Any idea? Worked on a different environment.
Error Name : Replace-Error
Error Details : System.InvalidOperationException: Management agent MicrosoftGraphwas not found
at Lithnet.Miiserver.Client.ManagementAgent.MANameToID(String name)
at Lithnet.Miiserver.Client.ManagementAgent.GetManagementAgent(String name)
at Lithnet.Miiserver.Automation.MiisController.GetManagementAgent(String name, Boolean reload)
at Lithnet.Miiserver.Automation.GetCSObject.ProcessRecord()
at System.Management.Automation.CommandProcessor.ProcessRecord()
Result : Microsoft Graph response passed back to the MA
Nosh Mernacaj, Identity Management Specialist
While creating Previledge access accounts for PAM as mentioned in this article
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-6-transition-group-to-pam
i am getting below error . Any idea what could be the reason .
Good morning,
This is a supported platform enquiry as we are aware that technically only 2008R2, 2012 and 2012R2 environments are supported by FIM 2010. There are plans to migrate to MIM 2016 however timeframes on this are uncertain and we are curious as to possible impact on this service in the following scenario:
Environment – FIM 2010 R2 running on Windows Server 2012, running in a domain called CONNECT, running with a combination of Windows 2008 R2 and Windows 2016 domain controllers.
FIM utilises an Active Directory Domain Services MA to only read information from a number of other “agency” active directories into the FIM metaverse. These ADs are currently at a variety of functional levels.
This information is then written from the metaverse into the CONNECT AD using another Active Directory Domain Services MA.
1. If one of the agencies replaces all of their DCs with Windows Server 2016 (or higher), will FIM continue to be able to read their data into the metaverse?
2. If only Windows 2016 domain controllers remain in the CONNECT domain (with or without a functional level increase), will FIM continue to function normally?
Hopefully I've provided enough information for a considered answer.
Thanks for your time,
Cheers, PF.
While creating Previledge access accounts for PAM as mentioned in this article
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-6-transition-group-to-pam
i am getting below error . Any idea what could be the reason .
Hi,
I have a scenario, where i have to replace a Web service management agent with SQL Management management agent. both are configured to have same attributes.
what is the best practice approach to replace MA with out affecting the Metaverse date
Hello,
I have an infrastructure with 2 Active Directory domains and 1 MIM where my company is syncing users, contacts, groups and OU.
It's configured as :
Source AD (domain: examplesource.local) ----> MIM Metaverse ----> Dest. AD (domain: exampledest.local)
For the objects that are in a OU existing on both domain, they are created and are joining the correct OU.
Unfortunately, some OU's are not existing and I would like MIM to create them automatically when it syncs objects of that OU.
In both MA, I already configured Hierarchy provisionning and mapped "ou" and "organizationalUnit".
Is there something that I am missing ?
Thanks.
Sincerely,
Kylian
HI All,
We have upgraded MIM Sp1 to SP2 by applying patches(downloaded from Microsoft website).But after upgrade, MIM portal is not accessible and page is redirecting to "_layout/MSILM2/Errorpage.aspx".
Kindly help here.
Thanks,
Deb
Hi.
I'm working with MIM 2016 in a lab environment.
I'm probably missing a step, but I can't seem to get MIM 2016 to create contacts in the OUs of each domain. I have two untrusted domains, contoso and wingtoys. I setup MIM in contoso and created a managment agent for both domains. I ran full import and sync, and I ran export.
When I check Metaverse Search in MIM, I see all the email accounts from both domains, but these are not showing up in AD as contacts, or in the Exhange Address book. What do I need to do to get these into AD?