Monday, October 31, 2016

MIM Service Accounts, Groups and Permission Details (MIM and AD Integration)

Source:

 

http://social.technet.microsoft.com/wiki/contents/articles/36005.mim-service-accounts-groups-and-permission-details-mim-and-ad-integration.aspx

 

MIM Service Accounts, Groups and Permission Details (MIM and AD Integration)

The purpose of this document is to provide the details of service accounts, security groups and permission required to install and configure Microsoft Identity Manger (M(M) 2016 in your environment.  This article also provides a PowerShell script to automate service accounts and group creation process. 

MIM Service Account Details

The following table provides the details of various service and administrative accounts required for MIM installation and administration.   The requirements and functionality details of these accounts are included in the “Function” column in the below table:

 Account  Name

Application

Function

Mail Enabled

MIM_Sync

MIM

MIM synchronization service account.  “Microsoft Identity Manager Synchronization Service” will run under this account.  This account must be secured using (GPO)

No

MIM_Service

MIM

MIM Service account.  MIM service will run under this account. Must be secured (GPO).  The service email account is uses to process request and approvals.  This account should be created for the exclusive use of the identity Management service

Yes

MIM_MIMMA

MIM

MIM management agent account.

No

MIM_ADMA

MIM

AD management agent account. Used to read and modify AD objects and attributes. 

No

MIM_SSPR

MIM – Service and Portal

Account under which the MIM Password Registration and Reset application pool will run in IIS.

No

MIM_SP

SharePoint

Database Access Account and used to run SharePoint App Pool for FIM portal.

No

SMIM__SQL

SQL

SQL Server service account

 

No

MIM_SqlAgent

SQL

Used to Run SQL agent

 

MIM_SPPA

SharePoint

SharePoint collection to host MIM Portal (PrimaryOwnerAlias)

No

MIM_SPBA

SharePoint

SharePoint collection to host MIM Portal (SecondaryOwnerAlias)

No

 

Service Account Creation Using a Script

The following PowerShell based script can be used to automate the service account creation process:

import-module activedirectory

$sp = ConvertTo-SecureString "YourPassword" –asplaintext –force

 

New-ADUser –SamAccountName MIM_Sync –name MIM_Sync -OtherAttributes @{'description'="MIM Sync Service Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_Sync –NewPassword $sp

Set-ADUser –identity MIM_Sync –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_Service –name MIM_Service -OtherAttributes @{'description'="MIM Service Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_Service –NewPassword $sp

Set-ADUser –identity MIM_Service –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_MIMMA –name MIM_MIMMA -OtherAttributes @{'description'="MIM Management Agent Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_MIMMA –NewPassword $sp

Set-ADUser –identity MIM_MIMMA –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_ADMA –name MIM_ADMA -OtherAttributes @{'description'="MIM AD Agent Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_ADMA –NewPassword $sp

Set-ADUser –identity MIM_ADMA –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_SSPR –name MIM_SSPR -OtherAttributes @{'description'="MIM Password Registration Pool Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_SSPR –NewPassword $sp

Set-ADUser –identity MIM_SSPR –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_SP –name MIM_SP -OtherAttributes @{'description'="MIM SharePoint Pool Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_SP –NewPassword $sp

Set-ADUser –identity MIM_SP –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_Sql –name MIM_Sql -OtherAttributes @{'description'="MIM SQL Database Access Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_Sql  –NewPassword $sp

Set-ADUser –identity MIM_Sql –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_SqlAgent –name MIM_SqlAgent -OtherAttributes @{'description'="MIM SQL Agent Account"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_SqlAgent –NewPassword $sp

Set-ADUser –identity MIM_SqlAgent –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_SPPA –name MIM_SPPA -OtherAttributes @{'description'="MIM SharePoint Primary Owner Alias"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_SPPA –NewPassword $sp

Set-ADUser –identity MIM_SPPA –Enabled 1 -PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIM_SPBA –name MIM_SPBA -OtherAttributes @{'description'="MIM SharePoint Secondary Owner Alias"} -Path "OU=Service Accounts,DC=MyDomain,DC=com"

Set-ADAccountPassword –identity MIM_SPBA –NewPassword $sp

Set-ADUser –identity MIM_SPBA –Enabled 1 -PasswordNeverExpires 1

MIM Security Group Details

The following table provides the details of various service and administrative accounts required for MIM installation and administration.   The requirements and functionality details of these accounts are included in the “Function” column in the below table:

 

Security Group Creation Using a Script

The following table provides the details of required security groups:

Group Name

Type

Members

Function

MIM Administrators

Global

Your MIM administrators

MIM Administrators.

·       Logon locally to all MIM servers

·       Local admin on all MIM servers

·       SQL Sysadmin

 

2MIM SQL Admins

Global

MIM Administrators

 

MIMSyncAdmins

Global

MIMService

Microsoft Identity Manager Synchronization security group  - Administrator

MIMSyncOperators

Global

 

Operator

MIMSyncJoiners

Global

 

Joiner

MIMSyncBrowse

Global

 

Connector Browse

MIMSyncPasswordReset

Global

 

WMI Password Management

 

The creation and group membership management of these groups can automated using the following PowerShell script:

New-ADGroup –name "MIM Administrators" –GroupCategory Security –GroupScope Global –SamAccountName "MIM Administrators" -Description "Sysco MIM Administrators" -Path "OU=Groups,DC=domain,DC=com"

New-ADGroup –name "MIM SQL Admins" –GroupCategory Security –GroupScope Global –SamAccountName "MIM SQL Admins" -Description "Sysco MIM SQL Administrators" -Path "OU=Groups,DC=domain,DC=com"

New-ADGroup –name MIMSyncAdmins –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncAdmins -Description "MIM Sysnc Admins" -Path "OU=Groups,DC=domain,DC=com"

New-ADGroup –name MIMSyncOperators –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncOperators -Description "MIM Sync Operators" -Path "OU=Groups,DC=domain,DC=com"

New-ADGroup –name MIMSyncJoiners –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncJoiners -Description "MIM Sync Joiners" -Path "OU=Groups,DC=domain,DC=com"

New-ADGroup –name MIMSyncBrowse –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncBrowse -Description "MIM Sync Browse" -Path "OU=Groups,DC=domain,DC=com"

New-ADGroup –name MIMSyncPasswordReset –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncPasswordReset -Description "MIM WMI Password Management" -Path "OU=Groups,DC=domain,DC=com"

 

Update Group Membership using a script

The following PowerShell cmdlet can be used to update the required group membership:

Add-ADGroupMember -identity MIMSyncAdmins -Members "MIM Administrators"

Add-ADGroupmember -identity MIMSyncAdmins -Members MIM_Service

Add-ADGroupmember -identity "MIM SQL Admins" -Members "MIMSyncAdmins"

Add-ADGroupmember -identity "MIM SQL Admins" -Members "MIM_Sql"

 

Permissions and Group Policy Objects

There are two service accounts that are used to run the MIM server components. They are called the MIM Service service account (MIM_Sync) and the MIM Synchronization Service service (MIM_Service) account. The MIM MA account is not considered a service account, and it should be a regular user account. For the MIM Synchronization Service service account to be able to impersonate the MIM MA account, the MIM MA must be able to log on locally.  It is also recommended to enforce the following restrictions on the service accounts:

·       Deny logon as a batch job

·       Deny logon locally

·       Deny access to this computer from the network

The following Group Policy Object (GPO) settings can be used to achieve this:

Policy

Accounts

Policies/Security Settings/Local Policies/User Rights Assignments/Log On as a service

DOMAIN\MIM_Sync

DOMAIN\MIM_MIMMA

DOMAIN\MIM_ADMA

DOMAIN\MIM_Service

DOMAIN\MIM_SP

DOMAIN\MIM_Sql

DOMAIN\MIM_SSPR

DOMAIN\MIM_SqlAgent

DOMAIN\MIM_SPPA

DOMAIN\MIM_SPBA

Deny Access to this computer from the network

DOMAIN\MIM_Sync

DOMAIN\MIM_Service

Deny Logon Locally

DOMAIN\MIM_Sync

DOMAIN\MIM_Service

Policies/Windows Settings/Security Settings/Restricted Group

DOMAIN\MIM Administrators Administrators

DOMAIN\MIM_SPPA  Administrators

 

Source:

 

http://social.technet.microsoft.com/wiki/contents/articles/36005.mim-service-accounts-groups-and-permission-details-mim-and-ad-integration.aspx

 

Friday, October 21, 2016

Microsoft MVP Friday Five–New Blog

Source - https://blogs.msdn.microsoft.com/mvpawardprogram/2016/10/21/happy-friday-five/

My blog on Microsoft MVP Friday Five -

Santhosh

Microsoft Advanced Threat Analytics (ATA) – Attack Simulation and Demo

Santhosh Sivarajan is a recognized expert in Microsoft technologies. He has extensive experience working on enterprise and cloud Security, identity and access management, and privileged access and account Management projects and solutions. He is the author of two books entitled Windows Server Security and Migration from Windows Server 2008 to Windows Server. He has also published hundreds of articles on various technology sites. Microsoft has recognized Santhosh with the MVP award multiple times for his exceptional contribution to the technical community.

Follow him on Twitter @Santhosh_Sivara

Pete Long

Changing Domain Users’ “User Logon Names” and UPNs

Pete Long is a Technical Consultant working in the North East of England. Previously he’s worked in IT Project management, and as a Consultant for solution providers and channel partners. Pete is an IT Pro with 15 years of both infrastructure and networking experience. One week he may be fitting a firewall for a small SMB, and the following week doing major Domain and Exchange migrations for a multi thousand seat network.

Follow him on Twitter @PeteNetLive

Fabian Gosebrink

How to set up Angular 2 and Webpack in Visual Studio with ASP.NET Core

Fabian Gosebrink is a professional software engineer, Microsoft MVP,  and Microsoft Technology Ambassador in Switzerland. He is also a Microsoft Certified Specialist in web application development and regular speaker at Microsoft events in Switzerland. He helps companies and projects to build web applications with AngularJS, Angular2, ASP.NET, ASP.NET Core, and all the build tools around it. Fabian is very into new technologies and helps to grow his community, by leading the biggest german speaking C# forum “mycsharp.de

Follow him on Twitter @FabianGosebrink

Frank Boucher

How I use Azure Logic App, API App and Function App in my life

Frank Boucher is a trusted Microsoft Azure professional with over 15 years of experience in the IT industry. He’s leveraged his expertise in Microsoft Azure in a development role at Lixar IT, an Ottawa-based software company. At work, he leads a dedicated team of developers to advance technology in the mobile, air, and telecommunication industries. Outside of work, he is a sought-after speaker, author, and trusted collaborator on Microsoft Azure.

Follow him on Twitter @fboucheros

Fabian FernandezChannel 9 Video: .NET Conf UY v2016 Event Summary

    Fabian Fernandez is CEO & Co-Founder of Kaizen Softworks and Organizer & Co-Founder of .NET Conf UY. The 28-year-old is an Agile practitioner, and loves to stay up to date on tech news and startups. In his spare time, he plays guitar and is an extreme sports fanatic. Fabian’s been a Microsoft MVP since 2015. He is based in Uruguay.

    Follow him on Twitter @kzfabi

    Tags Channel 9 Friday Five MVP Friday Five


    Read more at source - https://blogs.msdn.microsoft.com/mvpawardprogram/2016/10/21/happy-friday-five/

    Saturday, October 8, 2016

    How to Restore Objects from Azure Recycle Bin

    Source - http://social.technet.microsoft.com/wiki/contents/articles/35910.how-to-restore-objects-from-azure-recycle-bin.aspx

    Azure Recycle Bin – We are all familiar with AD restore and Recycle Bin functionalities.  Azure also has a recycle bin.  When you deleted an object, that object is not permanently deleted. By default, that object will be in a recycle bin for 30 days.

    The output of Get-MsolUser -ReturnDeletedUsers PowerShell cmdlet will provide all the objects from Recycle Bin.  Once you have this information, you can either restore an individual object or restore all object using Restore-MsolUser PowerShell cmdlet.

    The following section provide step-by-step instruction of restoring an object from Azure Recycle Bin:

    1. Open PowerShell window
    2. Import Azure Active Directory Module for Windows PowerShell
    3. Import MSOnline module
    4. Logging into your Azure Tenant using Connect-MsolService cmdlet

    1. Run Get-MsolUser -ReturnDeletedUsers to display all the objects in Recycle Bin

    1. Based on the object result, we have 5 objects in the Recycle Bin. 
    2. You can use Restore-MsolUser -UserPricipleName .,UPN> cmdlet to restore an individual object as shown below:

    1. Or you can restore all objects from Recycle Bin using Get-MsolUser -ReturnDeletedUsers | Restore-MsolUser cmdlet.

    PowerShell cmdlet reference:

    1. Get-MsolUser - https://msdn.microsoft.com/en-us/library/azure/dn194109(v=azure.98).aspx
    2. Restore-MsolUser - https://msdn.microsoft.com/en-us/library/azure/dn194109(v=azure.98).aspx

    Read more at Source - http://social.technet.microsoft.com/wiki/contents/articles/35910.how-to-restore-objects-from-azure-recycle-bin.aspx

    Sunday, September 18, 2016

    iOS 10–Did Apple Introduce a Ctrl + Alt + Del?

    iOS 10–Did Apple Introduce a Ctrl + Alt + Del?

    I just upgrade my iPhone to iOS 10.   It looks like iOS 10  introduce a Ctrl + Alt + Del for Apple devices?  huh?

    With this new upgrade,  in-order to unlock your phone, you have to press the "Home" button, then enter your PIN. Why do we have to press the Home button? What was the reason for this additional step?  This seems like our old Windows Control-Alt-Delete option. 

    image

    image

    image

    Same as entering a password in Ctlt+Alt+Del screen.

    image

    Yes. There is a reason why selected a Windows XP image Smile

    I am not sure you remember an old interview with Bill Gates - Bill Gates admits Control-Alt-Delete was a mistake.  This new additional step reminds me of iOS's new Control-Alt-Delete  invention.

    Monday, July 18, 2016

    SharePoint Mobile App for iOS

    Source - https://blogs.office.com/2016/06/21/your-intranet-in-your-pocket-the-sharepoint-mobile-app-for-ios-is-now-available/

    Last month, we unveiled a new vision for the future of SharePoint, and today we’re pleased to release the new SharePoint mobile app for iOS. Install it now and take your intranet with you—your intranet in your pocket. Stay connected to important content, sites, portals and people from across your intranet while on the go. The SharePoint mobile journey starts now. This is a first step, and we are excited to continue to build on what we’ve started. Let’s dive in to the details.

    Watch this episode of Microsoft Mechanics with Andy Haon, principal group program manager on the SharePoint engineering team, for an in-depth look at the SharePoint mobile app:

    The SharePoint mobile app

    The new SharePoint mobile app helps you keep your work moving forward by providing quick access to your team sites, organization portals and resources, and even a view into what the people you work with are working on. And this new app is infused with the intelligence of the Microsoft Graph, which applies machine learning to activity in Office 365 to connect you to the relevant documents and people around you. The SharePoint mobile app works with SharePoint Online in Office 365, SharePoint Server (2013 and 2016) on-premises and your hybrid environment. Once you launch the app on your iPhone, you’ll be prompted to sign in with your SharePoint credentials. The SharePoint mobile app lets you easily switch between accounts.

    Read more at source - https://blogs.office.com/2016/06/21/your-intranet-in-your-pocket-the-sharepoint-mobile-app-for-ios-is-now-available/

    Tuesday, July 5, 2016

    Advanced Threat Analytics (ATA) Sizing Tool

    Source - https://gallery.technet.microsoft.com/Advanced-Threat-Analytics-7371c87f

    This utility helps evaluate the overall network traffic on the domain controllers that ATA should monitor. In addition, the tool evaluates their CPU and memory resources for possible Lightweight Gateway deployments.

    Before running the utility on a domain member machine please make sure you have .net 4.5.2 or later installed.

    Choose which domain controllers the tool remotely evaluates using one of the following command line parameters:

    -DomainFQDN=<Domain FQDN>
    Evaluates all the domain controllers in the specified domain.

    -InputDCListFile=<File path>
    Evaluates all the domain controllers in the specified file (each domain controller is presented on a separate line).

    -UseCurrent=UserDomain

    Evaluates all the domain controllers in the domain of the user running the tool.

    -UseCurrent=ComputerDomain
    Evaluates all the domain controllers in the domain of the computer running the tool.

    -UseCurrent=Forest

    Evaluates all the domain controllers in the entire forest.

    Read more and download at source - https://gallery.technet.microsoft.com/Advanced-Threat-Analytics-7371c87f

    Tuesday, June 21, 2016

    Francisco Partners and Elliott Management to Acquire the Dell Software Group

    Source - http://software.dell.com/acquisitions/dsg.aspx?utm_campaign=20107-44402-CP-GL-SIMAnnounce_CustProsp&utm_medium=email&utm_source=Eloqua

    SAN FRANCISCO & ROUND ROCK, Texas--(BUSINESS WIRE)--Francisco Partners, a leading technology-focused private equity firm, Elliott Management Corporation, and Dell today announced they have signed a definitive agreement for Francisco Partners and Elliott to acquire the Dell Software Group. The agreement bolsters Francisco Partners and Elliott Management’s technology portfolios with the addition of Dell Software’s diverse combination of security, systems and information management, and data analytics solutions.

    "Quest Software and SonicWALL provide mission-critical software to a large and loyal base of over 180,000 customers, and we see significant opportunity to build upon the company’s impressive technology and product portfolio."

    “We founded our firm in 1999 to pursue divisional carve outs in the technology sector and today’s agreement continues that vision,” said Dipanjan “DJ” Deb, Francisco Partners’ Chief Executive Officer. “Quest Software and SonicWALL provide mission-critical software to a large and loyal base of over 180,000 customers, and we see significant opportunity to build upon the company’s impressive technology and product portfolio. We are excited to be partnering with Elliott Management and want to thank Silver Lake Partners and Dell for their continued partnership.”

    “Elliott has been a long-term investor in the technology space and today’s announcement continues our progress,” said Jesse Cohn, Senior Portfolio Manager at Elliott Management. “This acquisition represents a significant deal by Evergreen Coast Capital, Elliott’s recently established Menlo Park affiliate. We look forward to working with Francisco Partners to create significant value at these companies.”

    “Francisco Partners and Elliott Management’s deep passion for technology and proven track records in nurturing and building software businesses will enable Dell Software’s loyal base of employees to continue delivering innovation,” said Tom Sweet, senior vice president and chief financial officer, Dell. “We look forward to continuing to work closely with the Francisco Partners and Elliott Management teams to further enhance the already great relationships Dell Software has with its customers and partners.”

    Dell Software’s comprehensive portfolio of solutions span a number of areas critical to the modern business and IT management landscape, including advanced analytics, database management, data protection, endpoint systems management, identity and access management, Microsoft platform management, network security, and performance monitoring. With Dell Software solutions, organizations of all sizes can better secure, manage, monitor, protect, and analyze information and infrastructure in order to help fuel innovation and drive their businesses forward.

    "We see tremendous growth opportunity for these businesses," said Brian Decker, head of security investing at Francisco Partners. "Network security and identity and access management are increasingly strategic imperatives for enterprises and we are thrilled to support the continued product innovation of Quest Software and SonicWALL in these areas."

    "We are proud to partner with Francisco Partners to acquire Dell Software from Dell Inc.," said Isaac Kim, Managing Director of Evergreen Coast Capital. "Dell Software has world class products and talented employees, and we look forward to working with the management team to grow revenues and increase value. We believe these companies offer unique value and operational potential."

    Read more at source - http://software.dell.com/acquisitions/dsg.aspx?utm_campaign=20107-44402-CP-GL-SIMAnnounce_CustProsp&utm_medium=email&utm_source=Eloqua

    Friday, June 17, 2016

    Magic Quadrant for Identity and Access Management as a Service

    Source - https://info.microsoft.com/EMS-IDaaS-MQ-2016.html?ls=Email

    Gartner recognized Microsoft as a Leader, positioned furthest to the right for completeness of vision, in the 2016 Magic Quadrant for Identity and Access Management as a Service, Worldwide.

    In only its second year on the Gartner Identity and Access Management as a Service, Worldwide Magic Quadrant Microsoft was placed in the "Leader" quadrant, far to the right for our completeness of vision.

    See the difference between 2005 and 2006 report. Good job Microsoft!

    image

     

    image

    Download the Gartner report from the source - https://info.microsoft.com/EMS-IDaaS-MQ-2016.html?ls=Email

    Friday, June 10, 2016

    Latest MVP FridayFive Blog

    Source - https://blogs.msdn.microsoft.com/mvpawardprogram/2016/06/10/heres-your-fridayfive/

    Latest MVP FridayFive Blog is out today.   My Azure MFA Authentication Types blog is included in it Smile 

    At Last, AI Applications that Work Easily with Faces and Feelings, Not Just Files: Microsoft Azure MVP Jason Milgram @jmilgram

    Azure MFA Server—Authentication Types: Enterprise Mobility MVP Santhosh Sivarajan @Santhosh_Sivara

    The .NET CLI Decoded: Visual Studio and Development Technologies and Windows Technologies MVP Sam Basu @samidip

    Wiki Life: MVP authors & contributors: Visual Studio and Development Technologies and Windows Technologies MVP Ken Cenerelli @KenCenerelli

    Using Animations with Xamarin Forms: Windows Development MVP Houssem Dellai @HoussemDellai

    Source - https://blogs.msdn.microsoft.com/mvpawardprogram/2016/06/10/heres-your-fridayfive/

    Wednesday, June 8, 2016

    Azure Active Directory Identity Protection Playbook

    Source - https://azure.microsoft.com/en-us/documentation/articles/active-directory-identityprotection-playbook/

    Here is an Azure Active Directory Identity Protection Playbook  which can be used to  simulates the following risk event types:

    • Sign-ins from anonymous IP addresses (easy)
    • Sign-ins from unfamiliar locations (moderate)
    • Impossible travel to atypical locations (difficult)

    Read more at source - https://azure.microsoft.com/en-us/documentation/articles/active-directory-identityprotection-playbook/

    Popular Posts

    Share

    Twitter Delicious Facebook Digg Stumbleupon Favorites More