Wednesday, September 20, 2017

Announcing Lithnet AutoSync for Microsoft Identity Manager

One of the things that I've always believed was missing from MIM and its predecessors was the ability to automatically 'run' the sync engine. The supported way of 'automating' the sync engine is to develop scripts that call the MIIS WMI methods. However, those scripts usually just cycle through the management agents and run profiles in a predetermined order, at a predetermined interval.

Over the years, I've often thought that there must be a better way than this! When we consider the various operations that can be performed on each management agent, the clues to how to do this start to become clear.

Delta import Performed when a change occurs in a connected system
Delta synchronization Performed when an import operation stages changes in a connector space
Export Performed when a synchronization stages outbound changes in a connector space
Confirming import Performed when an export leaves unconfirmed imports in the connector space

In all cases, except the delta import, the operations occur within the connector spaces of the sync engine itself. This means that the sync engine has the information needed to know when a sync, export and confirming import is required - It's all right there in the run history. All we really have to do, is somehow trigger the initial delta import when we know that changes have been made in the connected system.

Today, I'm releasing my solution to this problem - Lithnet AutoSync.

AutoSync is designed to run the sync engine for you. All you need to do is tell it when to run the import operations. You can do this on a schedule (eg every 15 minutes), or in response to an event if your connected system supports change detection. Built-in triggers are provided for Active Directory, LDS, and the MIM service, and you can write your own triggers using PowerShell. I've put a community PowerShell trigger gallery page up where you'll eventually be able to find and share trigger scripts for various systems.

Once the import has been triggered, AutoSync takes care of the rest. If the import results in staged changes in the connector space, a delta sync is performed. If the delta sync stages outbound changes on other management agents, then export operations are performed. After those exports, confirming imports are performed, and the cycle continues.

AutoSync is fast. By ensuring run profiles are executed only when needed, AutoSync keeps the sync engine from doing work it doesn't need to do. When combined with event-based triggers, the sync engine can respond to changes in connected systems in as close to real-time as possible. AutoSync allows for the fastest propagation of changes possible, while respecting the sync engine rules for overlapping run profiles.

AutoSync follows the Microsoft guidelines when it comes to running multiple management agents simultaneously. While import and export operations are allowed to overlap, synchronizations must be run exclusively.

AutoSync has been in development for over 18 months, and I'm very happy to be sharing this with you today. A special thanks to Piyush Khandelwal is in order, as this project wouldn't have been possible without his many, many hours of diligent testing, bug-finding and feedback. A big thank you to those who have also helped test over the life of the project including Darren Robinson, Søren Granfeldt, and the whole team back at the office who have put up with untold numbers of pre-release builds.

Head over to github to read the getting started guide, and happy auto-syncing!

Monday, March 13, 2017

Assisted password reset add-on for the FIM/MIM portal

Microsoft Identity Manager and its predecessor, Forefront Identity Manager cater for self-service password reset (SSPR) scenarios with out of the box workflows that support SMS, email, and question/answer authentication. Self-service password reset is a very important capability for any organization, and when properly deployed, can significantly reduce calls to the service desk.

However, even when SSPR is available in an organization, there will always be a percentage of password resets that the service desk performs. It could be that the user is not enrolled in SSPR, that they didn't know SSPR was available, or their registered SSPR mechanisms were no longer available (eg they have a new phone number, or no longer have access to their registered email address). In these cases, the service desk is usually called and a manual password reset is performed. This is not a scenario that is current supported by MIM directly, which typically results in the service desk dropping back to the AD admin centre or the users and computers console to perform this task.

Today, I'm announcing the release of the Lithnet Assisted Password Reset (APR) add-on for the FIM/MIM portal. This tool integrates with the user RCDC to display a "Reset password" link, allowing quick access to reset the user's password using either a generated or user-specified password.

It's simple, easy to install, and highly customizable.

It supports
  • Automatically generated random passwords of a configurable length
  • Manually specified passwords
  • Includes the option to force the user to change their password at next logon
  • Optionally forces service desk staff member to re-authenticate in order to reset a password
  • Can unlock locked accounts

Visit the GitHub site to get started.

Wednesday, February 22, 2017

User verification add-on for the FIM/MIM Portal

Today I'm releasing a new add-on for the FIM/MIM portal. The Lithnet User Verification Module allows IT staff to use the MIM portal to send an SMS code sent to a user's mobile phone. This is useful in scenarios where a user calls the service desk and needs to be verified before the service desk can take an action such as resetting a password or asking for a change to a group that they own.

If you have your users registered for SMS-based self-service password reset, then this module is ready for you to use today. It will use the same SmsServiceProvider.dll you created to enable SSPR, and will get the user's mobile number from the msIdmOtpMobilePhone attribute.

There are lots of configuration options available, so if you want to get the mobile number from a different attribute, you can certainly do that. You can also customize the attributes displayed by the tool, change the length of the security code, and even restrict access to the tool to a particular set of users

You access the tool by adding a new UocHyperLink control to your RCDC as shown below.

A new window will open with a customizable list of user attributes shown. Clicking the Send Code button will generate a unique code and send it to the user's phone

The code is shown to the service desk operator, and the user receives the code on their phone

It's a simple, but useful tool for authenticating users over the phone.

Visit the GitHub site to download the latest release and read the installation instructions