Monday, March 13, 2017

Assisted password reset add-on for the FIM/MIM portal

Microsoft Identity Manager and its predecessor, Forefront Identity Manager cater for self-service password reset (SSPR) scenarios with out of the box workflows that support SMS, email, and question/answer authentication. Self-service password reset is a very important capability for any organization, and when properly deployed, can significantly reduce calls to the service desk.

However, even when SSPR is available in an organization, there will always be a percentage of password resets that the service desk performs. It could be that the user is not enrolled in SSPR, that they didn't know SSPR was available, or their registered SSPR mechanisms were no longer available (eg they have a new phone number, or no longer have access to their registered email address). In these cases, the service desk is usually called and a manual password reset is performed. This is not a scenario that is current supported by MIM directly, which typically results in the service desk dropping back to the AD admin centre or the users and computers console to perform this task.

Today, I'm announcing the release of the Lithnet Assisted Password Reset (APR) add-on for the FIM/MIM portal. This tool integrates with the user RCDC to display a "Reset password" link, allowing quick access to reset the user's password using either a generated or user-specified password.

It's simple, easy to install, and highly customizable.

It supports
  • Automatically generated random passwords of a configurable length
  • Manually specified passwords
  • Includes the option to force the user to change their password at next logon
  • Optionally forces service desk staff member to re-authenticate in order to reset a password
  • Can unlock locked accounts

Visit the GitHub site to get started.

Wednesday, February 22, 2017

User verification add-on for the FIM/MIM Portal

Today I'm releasing a new add-on for the FIM/MIM portal. The Lithnet User Verification Module allows IT staff to use the MIM portal to send an SMS code sent to a user's mobile phone. This is useful in scenarios where a user calls the service desk and needs to be verified before the service desk can take an action such as resetting a password or asking for a change to a group that they own.

If you have your users registered for SMS-based self-service password reset, then this module is ready for you to use today. It will use the same SmsServiceProvider.dll you created to enable SSPR, and will get the user's mobile number from the msIdmOtpMobilePhone attribute.

There are lots of configuration options available, so if you want to get the mobile number from a different attribute, you can certainly do that. You can also customize the attributes displayed by the tool, change the length of the security code, and even restrict access to the tool to a particular set of users

You access the tool by adding a new UocHyperLink control to your RCDC as shown below.

A new window will open with a customizable list of user attributes shown. Clicking the Send Code button will generate a unique code and send it to the user's phone

The code is shown to the service desk operator, and the user receives the code on their phone

It's a simple, but useful tool for authenticating users over the phone.

Visit the GitHub site to download the latest release and read the installation instructions

Thursday, February 2, 2017

Announcing v2 of the Lithnet FIM/MIM Service REST API

In 2015, I released the first version of the REST API for the FIM/MIM Service. I designed it to abstract away the complexities of the native SOAP endpoint, and open up the possibilities of integrating with FIM from operating systems and libraries outside of the Windows/.NET ecosystem.

It's been used by many awesome public and private projects since then. Check out Peter Stapf's guide on using it to create PowerApps.

Features have been added over time, usually by request, which means now, using simple JSON calls, you can perform the following tasks
  • Create resources
  • Modify resources
  • Delete resources
  • Get a resource
  • Get the current user's permissions on a resource
  • Search for resources
  • Full localization support
  • Getting approval requests
  • Approving or rejecting requests
However, I needed to make some changes to the API that would have broken compatibility with existing versions, so I decided to add another endpoint to this API, and release a new version.

Both versions of the API are contained in the one installation package, and can safely run side-by-side. Any existing applications will continue to work with the v1 API version.

Here are a list of fixes, enhancements, and new features of the v2 API.


  • Fixes an issue where all attribute values were returned as strings, rather than their native JSON data type
  • Fixes an issue where multivalued attributes containing only a single value were serialized as a string, instead of an array


  • Provides flexibility in how resources are returned from the API by allowing the caller to specify
    • If null values should be returned or not
    • If values for single-valued attributes should be returned as arrays
    • If the resource should be rendered as a fixed structure, that does not depend on knowing the resource schema in advance
  • Aligns the API to a set of REST API guidelines published by Microsoft

New Features

  • Adds support for getting permission hints for each attribute on a resource
  • Adds paged search support

Check out the updated documentation, and download the new version today