Saturday, December 24, 2016

Christmastime FIM/MIM Open Source WF Reviews

Over the years since FIM was first beta'd as ILM2 we have seen some cool workflows be released to open source. This is my review of the workflows I can find that are open source. First let me salute everyone who has contributed to the FIM and MIM community with these big undertakings. That said I am trying to give guidance to my readers as to what is the most useful in various situations and so I will make specific recommendations.

So what's under the tree for Open Source Workflows?

Project Name
Last Activity
 JefTek, Nilish Ghodekar
Oct 2016
Gotta have it -- this recent addition to the FIM/MIM world is great! But must have FIM 2010 R2 (4.1.3496) or later
FIM Powershell Workflow Activity
Craig Martin, Brian Desmond, Henrik Nilsson, James Booth
Sept 2013
Superseded (but if you still haven't upgraded to FIM R2) -- Great when it first came out but now use MIM WAL instead
PowerShell for FIM 2010
WorkFlowActivity (other features reviewed elsewhere)
Adam Weigert
May 2014
Superseded -- Also nice when it first came out but now use MIM WAL instead
FIM 2010 Granfeldt Workflow Activity Library
Soren Granfeldt
Jan 2013
Maybe -- If MIMWAL Run PowerShell Script activity can't get it done or you already have C# code then use this
The Last FIM Workflow You Will Ever Need
Rebecca Croft
Feb 2013
Maybe -- If MIMWAL Run PowerShell Script activity can't get it done or you already have C# or VB.NET code then use this
FIM Workflow Library
Dave Nesbitt
June 2014
Possible -- If you are storing all of the accountNames or MailNickNames in SQL then take a look at this
ILM 2 RC0 Ensynch Custom Workflow Activity Libary
Joe Zamora
April 2009
Hidden nugget -- While this is more of a sample and the UpdateAttributeActivity has been superseded by MIMWAL (and others), the OwnerRollup Activity has value if you need to find a new owner to a group, service account when the existing owner is termed. Ditto for managing contractors


WF Building Block Activities (with conditional execution, iteration, Rich Functions, UI framework for creating new WF activities

Add Delay
Create Resource
Delete Resources
Generate Unique Value
Request Approval
Run PowerShell Script
Send Email Notification

Generate Unique Value
Can check FIM and LDAP for conflicts
Run PowerShell Script
Conditional execution
User Password
Load user profile
Log on type (batch job, svc)
Script Location (use an outside file or embedded in WF)
Send Email Notification
Can get Email Template from Xpath or Lookup
Addresses can come from Filter Search as well as lookup or email addresses
Can supress notification failure
Update Resources
Verify Request

FIM Powershell Workflow Activity
Run PowerShell from  Workflows
It has one property -- ScriptPath
Can access Workflow info such as RequestID, TargetID, ActorID, WorkflowDefinitionID, WorkflowDictionary
Decent docs

PowerShell for FIM 2010 WorkFlowActivity
Run PowerShell from FIM/MIM Workflows
Allows you to run as Requestor or as FIMService

Can access Workflow info such as RequestID, TargetID, ActorID, WorkflowDefinitionID, WorkflowDictionary
This module also can help manage FIM Service and FIM Sync and you can implement rules extensions and ECMA using PowerShell scripts

FIM 2010 Granfeldt Workflow Activity Library
WF Activities
Run C# code -- interact with WF Data or FIM Service
Reference libraries
Specify your destination
Create Object
Delete Object
Copy Values

Good solid library for customizing

The Last FIM Workflow You Will Ever Need
Let's you run VB.Net or C# code
Pick your Language, NameSpaces to use, and additional libraries to load, pick your Actor, Pass in parameters you need, specify a return type, and the destination attribute

Good solid library for customizing and allows you to choose between VB.Net and C#

FIM Workflow Library
Make Account Name -- pulls from SQL table
Make Email Alias
Set Entitlements
Docs very limited
Interesting that it pulls from SQL

ILM 2 RC0 Ensynch Custom Workflow Activity Library
UpdateAttributeActivity - An interim solution to the Function Evaluator limitations.

OwnerRollupActivity - Walk the manager chain to find a suitable owner.
One of the first Custom workflow activity libraries for FIM. Owner Rollup Activity is interesting as it allows you to find a new suitable owner for a Group or service account when the existing owner is terminated.

Disclaimer: some of these have been created by friends of mine and even by an employee. I have tried to review these purely from the view point of utility.

Wednesday, October 19, 2016

MIM 2016 SP1 -- Implications

Earlier this month Microsoft released MIM 2016 SP1
But what does this mean for you?

Biggest Implications

  1. Exchange Online (Office365) for the MIM Service 
    1. without losing the ability to approve requests from within Outlook, and the requesting of groups within Outlook.
      1. Since lots of orgs are using Office 365 no more embarrassing conversations about these great features you can't have.
  2. Support for other browsers for MIM Portal
    1. SSPR already supported other browsers but now MIM Portal will support Chrome, Firefox and Safari.
      1. This means less customer resistance
  3. Platform Support -- MIM now supports all of the latest platforms Windows 2016, Active Directory 2016, SQL 2016, SharePoint 2016, Exchange 2016.
    1. Sync, Service and Portal
      1. Can now run on these
    2. Portal can now run on SharePoint 2016
      1. But there is not a foundations version meaning a free version
        1. So keep running on SharePoint 2013 Foundations for now unless MSFT starts including a license for SharePoint 2016
    3. SharePoint 2016 no longer uses FIM/MIM 
      1. You can use MIM, but the default is the new built in Active Directory Import
      2. If you do use MIM to synch to SharePoint check Spencer Harbar's notes
    4. BHOLD
      1. The supported platform page lists that with MIM 2016 SP1 BHOLD now supports SQL 2014
        1. Say what? Why not SQL 2016? is this an error? If true this implies that BHOLD isn't as highly prioritized.
    5. MIM Certificate Management
      1. Lists the only supported client as Windows 7
        1. Again -- if true this suggest lower priority. In general most new MFA solutions aren't using smart cards and certs.
    6.  PAM now supports Windows Server 2016 and forest functional level 2016
      1. Kerberos tickets are now time limited based on the time left on your role activation
        1. Improved security!

Monday, October 17, 2016

Post Migration Your MIM/FIM Attribute Flow Precedence is Incorrect

Have you ever found out that attribute flow precedence is messed up, wrong or otherwise in error just after you followed the steps to migrate your MIM/FIM configuration from Dev to Prod or vice-versa? Well I am finally blogging about a discovery I made. The list of steps (reproduced below from the above link) are incomplete:
  1. Back up the pilot and production environments by using the Backup and Restore procedures.
  2. Export the FIM Service schema configuration.
  3. Export the FIM Synchronization Service configuration.
  4. Export the FIM Service policy and FIM Synchronization Service configuration resources.
  5. Install the FIM Synchronization Service and the FIM Service in the production environment.
  6. Enable the maintenance mode in the production environment.
  7. Import the FIM Service schema configuration.
  8. Import the FIM Synchronization service configuration.
  9. Install the custom DLLs necessary for custom workflows.
  10. Import the FIM Service policy and FIM Synchronization Service configuration.
  11. Disable maintenance mode in the production environment.
After Step 10 "Import the FIM Service Policy" your attribute flow precedence will get messed up if you had changes to inbound sync rules that write to the same attributes as any import attribute flows defined in the management agents.

Here is why: After step 10 you have imported the sync rules into the FIM Service and Portal but until you run an import on the FIM MA those sync rules and their attribute flows are not yet in the sync engine. Once you run the FIM MA import then you have those flows but the precedence may not match the precedence in the source environment.

Solution: After step 10 Run a Delta Import and Delta Sync on the FIM MA. Then reimport the FIM Sync configuration (Step 8).

Why this works: This gets the sync rules and their attributes flows into the Sync engine and then reapplies the attribute flow precedence from the source environment.

Tuesday, June 28, 2016

SharePoint MA -- avoid the noise

In using the SharePoint MA from Steve Kean I noticed that some of the fields I imported were coming in with some extra noise or crap at the beginning:


All I really wanted was the 164. While I can use the Word function in a sync rule to get past it
Word(strAttribute,2,"2") I really would prefer to bypass it altogether.

Well thanks to Jermaine Snipe I found why this happens and how to bypass it:
These are calculated columns and they use the concatenate function. Instead use a Text formula for the calculated column. This of course supposes that you can get the SharePoint developer to change it.

Saturday, February 6, 2016

Check your inputs -- Save your job!

At various times in my 10 years of Identity Management Consulting and 25 years working in the IT industry I have been asked to clean up various messes generated by those before me. Some of those messes involved disk failure or other issues that couldn't be completely prevented. But some involved automated process that didn't check their inputs.

 If garbage into a computer gives you garbage out, then garbage into an automated process that doesn't check its inputs gives you a meltdown! Even Disney's Sorcerer's Apprentice Fantasia illustrates what can go wrong with an automated process.

 I have seen the end results when I get called in to fix them. Thousands of groups having lost their members (depopulated) or even worse thousands of users deleted. In the database world unchecked inputs can permit SQL injection attacks.  That's why you check them.

What does it mean to check your inputs? First you need to consider what are valid inputs. Then you establish tests that validate the inputs and if the test fail they halt your automated process and call someone's attention to it. For example in Identity Management if a table is your input, is an empty table valid or does that mean the input is wrong? What about only 1 row? What about looking at how the table has changed? If it has 10% more rows than it did last time or yesterday is that too many? 10% fewer rows? 10% of the rows have changed? I have seen it where a table was used to populate  groups and one row of data appeared, one row of corrupt data. The only check on the input was to see if the table had more than zero rows.

Next you need to be concerned about what you are doing with those inputs. My friend and fellow MVP Carol Wapshere cautions against deleting user data based on an absence of data as well as against taking immediately destructive action.

Here is a look at how you can check your inputs with Microsoft Identity Manager (Forefront Identity Manager)

The first place I like to validate my inputs is at the SQL layer before importing into FIM. I like to keep at least one copy of the old data and then compare to that. Do we have too many new rows (>10%), too few rows (<95 changes="" data="" many="" of="" old="" too="">15%)? If so halt and call a human.

The second place to check is in your script that runs the MA's -- you can check the Adds, Imports and Changes that have just been imported (as long as you just do a stage only). You can check either how many are sitting there or how many happened in the run profile you just ran. The former presents a problem in that existing normal disconnectors will be in your count as adds. The latter is more difficult as you need to find the correct run history get its details and then parse through XML. So to solve this you can use the former method a little more intelligently. Find out how many disconnectors exist prior to running the import, and then subtract them from your # of ImportAdds.

 $MANAme = "HR"
  $Filter = "name='" + $MAName + "'"
    $TheMA = get-wmiobject -class "MIIS_ManagementAgent" -namespace "root\MicrosoftIdentityIntegrationServer" -filter $Filter 
  $PriorImportAdds = $TheMA.NumImportAdd().ReturnValue
   $result = $TheMA.Execute($ProfileName) 
   $returnVal = $result.ReturnValue.ToString() 
  $NumCSObjs = $TheMA.NumCSObjects().ReturnValue
  $smtp = new-object Net.Mail.SmtpClient("")
  if ((100*($TheMA.NumImportAdd().ReturnValue - $PriorImportAdds)/$NumCSObjs) > 10) 
    $smtp.Send("", "", "Too many adds ", " $MAName $ProfileName : $returnVal Please investigate  " )
    Write-Error "Too many adds  $MAName $ProfileName : $returnVal " -EA Stop
  if ((100*$TheMA.NumImportDelete().ReturnValue/$NumCSObjs) > 1) #1% 
  { $smtp.Send("", "", "Too many adds ", " $MAName $ProfileName : $returnVal Please investigate  " )
    Write-Error "Too many deletes  $MAName $ProfileName : $returnVal " -EA Stop
  if ((100*$TheMA.NumImportUpdate().ReturnValue/$NumCSObjs) > 1) #1% 
  { $smtp.Send("", "", "Too many adds ", " $MAName $ProfileName : $returnVal Please investigate  " )
    Write-Error "Too many deletes  $MAName $ProfileName : $returnVal " -EA Stop

Later in your script you can check after you run a delta sync to see how many pending changes you have to AD, deletes, updates, and adds. If they exceed your threshold call a human.

The easiest safeguard to put in place to limit the damage is to limit how many deletes you will process in the export run profile step. This limits how many get deleted. I highly recommend this a quick first step, especially if you have no other safeguards.

This still allows deletions to take place but slows it down. i.e the first run will delete 50, the next run will delete 50 and so on until all of the deletions take place. But this is more survivable -- especially if you have your script notify you if the step stops.

If you do nothing else please limit the number of deletes on your export profiles and remember that MIM (FIM/ILM/MIIS) like all power tools requires care when using.