I’m speaking at the #HIPConf Hybrid Identity Protection Conference in New York

Next week, I have the honor of participating as speaker at the Hybrid Identity Protection Conference in New York, NY.

Let me quote Sander Berkouwer:For those who attended The Experts Conference (TEC) and NetPro’s Directory Experts Conference (DEC) events previously, the Hybrid Identity Protection Conference promises to be at least as much fun as these events, where you’ve seen the likes of Gil Kirkpatrick, Sean Deuby, Darren Mar-Elia, Brian Desmond, Joe Kaplan, “, of course Sander Berkhouwer,   and not to forget Tomasz Onysko.

For quite a while, the TEC/DEC conference has been the landmark for the MS Identity & Security community, and I would be happy to let the HIPConf take that place.

HIPConf

About the Hybrid Identity Protection Conference

The Hybrid Identity Protection Conference is Semperis Inc.’s event in the spirit of The Expert Conference (TEC) to bring together the leading experts in the field of Identity and Access Management. The event offers a unique opportunity to spend two days on-site in New York with peers, whose day-to-day job is to architect, manage, and protect identity management in the hybrid enterprise.

Attendees are able to meet face-to-face with the leading experts of their field, acquire in-depth technical knowledge, and be exposed to the latest innovation.

(And that’s where the TEC/DEC and HIPConf make the difference with other conferences, which not always allow to meet with the presenters/experts.)

The 2017 Hybrid Identity Protection Conference takes place on November 6th and November 7th at the famous 7 World Trade Center in New York City’s Tribeca neighborhood. Just minutes’ walk from famous landmarks, attractions, museums, and famous restaurants in Manhattan, and with astounding views of the New York skyline.

About my session

As you might notice, my session is taking a bit of a different view on Hybrid Identity, but as important as the technical view.

Tuesday 7/nov: “04:00-05:00 pm – Forget about compliance! Only the GDP mindset will keep you alive”

“With the 2018 GDPR deadline in focus, many businesses with EU customers are feeling like a rabbit frozen in the GDPR headlights… But it’s not the ‘R (regulation) that matters, the GDP does. In this fast moving era of cloud and data centers, information is flowing like water, and perimeter security is so Y2000. Join this presentation to learn how you can leverage best practices to build an end-to-end, layered security, and avoid information spills. “

Join the HIPConf!

There is still time to register.

And as Sander mentioned,  with the Global MVP Summit moved from the November timeframe to March, this is the opportunity to hang out with a group of people and MVPs that have built the Microsoft community for Identity & Security for years…

And I’m looking forward to see them again, after all these years!

Thanks Semperis Inc. to offer this opportunity!

Advertisements

Note-to-self: Short URL for app password in Azure MFA

When you enable MFA (Multifactor Authentication) in Azure, you can configure app passwords for applications that cannot work with the code generators, applications, phone apps to logon with MFA…

The source URL for it is: https://account.activedirectory.windowsazure.com/AppPasswords.aspx

But it’s very likely you can’t remember it anymore after a while, so train your brain for these bookmarks:

Also, these point to the same URL.

 

Note-to-self: You lost access to your initial Office 365 admin?

Although Microsoft has built in quite some methods to regain access to your 0365 tenant/account, you might have some bad luck one day… (experience talking here)

First of all you should try the default options, meaning : the password reset options.

The direct way to get there is the first link to bookmark: https://passwordreset.microsoftonline.com/

Another way to get there is in the 0365 logon page (also for Azure),

o365_1

If you forgot your password or can’t access the account, hit the link at the bottom.
You get directed to :

o365_2

If you know the logon, you can proceed to

o365_3

You notice that the verification is pointing to your alternative mail address or your mobile number…

But what if you forgot your original logon ID (mail address), eg in case you have setup a test tenant in 0365 with an mail address you don’t use frequently? (yes, that happens)

If that is not working or you need more help, check these options:

And if you really ran out of luck: you might raise a ticket and ask for help. https://portal.office.com/support/newsignupservicerequest.aspx

Anyway, as shown there are some options when configuring 0365 that should keep you out of trouble in the first place

  • make sure to add a mobile number to your user account
  • make sure to add a secondary email address to your account (not belonging to your O365 domain)
  • Configure and test MFA (multifactor Authentication), eg with the Authenticator app
  • add a secondary admin account with sufficient rights (with the same security measures!)

Note-to-self: Channel9 – Azure Active Directory Connect: in-place upgrade from legacy tools

Source: https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/Azure-Active-Directory-Connect-in-place-upgrade-from-legacy-tools

Andreas Kjellman has published an small, but very interesting bit of video on Channel 9.
You can read more in the Azure AD Connect documentation pages00https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/Azure-Active-Directory-Connect-in-place-upgrade-from-legacy-tools/player

You can read more in the Azure AD Connect documentation pages

Additionally, I strongly suggest to have a look at the discussion/comments on the post.

Having a 2nd server is now supported. This is called a “staging server” and more information can be found here: https://azure.microsoft.com/documentation/articles/active-directory-aadconnectsync-operations/#staging-mode.

It is also possible to filter based on OUs. More information on filtering options can be found here: https://azure.microsoft.com/documentation/articles/active-directory-aadconnectsync-configure-filtering/.

Note-to-self: #FIM2010/#MIM2016 Generic SQL Connector technical reference

Please note that Andreas Kjellman published/updated the information on the Generic SQL connector for FIM/MIM

Source:

As described on the tech page:

This article describes the Generic SQL Connector. The article applies to the following products:

  • Microsoft Identity Manager 2016 (MIM2016)
  • Forefront Identity Manager 2010 R2 (FIM2010R2)
    • Must use hotfix 4.1.3461.0 or later KB2870703.

For MIM2016 and FIM2010R2 the Connector is available as a download from the Microsoft Download Center.

/../

The Connector is supported with all 64-bit ODBC drivers. It has been tested with the following:

  • Microsoft SQL Server & SQL Azure
  • IBM DB2 10.x
  • IBM DB2 9.x
  • Oracle 10 & 11g
  • MySQL 5.x

 

You might have some trouble to get to the download link, if so : keep an eye on it and retry later. The download will be activated any time soon…

FIM/MIM Licensing: clarification on the requirement to use CALs

Since the addition of the FIM Service and Portal in FIM 2010, the licensing model changed from a “server only” licensing to “server + CAL” licensing. (NOTE: CAL = Client Access License).

In April 2015 licensing update of FIM/MIM, the server license became virtually free.

The authoritative document that provides you with the full details is the PUR (Products Use Rights) document published by Microsoft.

See my post on the licensing change for all required info: http://aka.ms/LicenseToCAL. It does contain the links to the PUR (in various languages).

You can also check the TechNet Wiki page for the FIM/MIM licensing: http://aka.ms/LicenseToFIM)

 

In short: in general, you do NOT need to buy a FIM/MIM server license anymore, it’s included in the Windows Server license.

Still, keep in mind, some specific situations do require special/additional licenses: check the PUR.

You DO require CALs, which is mentioned by the PUR as:

“A CAL is also required for any person for whom the software issues or manages identity information.”

 

You can acquire FIM CALs via :

  • Forefront Identity Manager 2010 R2 User CAL (device CALs are not available), or
  • Enterprise Mobility Suite User SL, or
  • Microsoft Azure Active Directory Premium

The april 2015 licensing change caused quite some confusion on the CAL requirements (as the FIM/MIM server license became ‘free’…)
One of the important reasons was the following paragraph in the PUR (quote):

“/../

Synchronization Service

A CAL is not required for users only using the Forefront Identity Manager synchronization service. /../”

To rephrase this statement: if you ONLY use the FIM Sync engine, you DO NOT need to buy/acquire any license (you got server license free and CAL not required).

This essentially means that IF you do install the FIM Service (and probably the FIM portal to manage it) and you DO connect the FIM Sync engine to the FIM service via the FIM MA, you DO NEED CALs.

This also applies to BHOLD and FIMCM.

This is how it was phrased by one of the FIM/MIM/AADConnect program managers: “As soon as you have installed the FIM Service MA (or BHOLD or CM) then you have triggered a CAL for everyone in the MV. ” It’s not relevant if the users are in FIM Service or not.

This is also the reason for built-in declarative provisioning (without a need for the FIM Service MA) in Azure AD Connect sync… this puts the FIM/MIM licensing model on the same frequency as the Azure AD connect licensing.

Now, this perfectly answers the question of Henrik on my post on the licensing update.

His question was: “What if you install FIM/MIM Sync and Service, both included in Windows Server licensing but you choose not to add object mappings in FIM/MIM MA for users and groups… This will allow you to import filter based sync rules from FIM/MIM Service.”

The short answer is: you still need to acquire the CAL.

Summary

  • FIM/MIM server license is included in the Windows Server License
  • you DO NEED CALs for FIM/MIM
    • you can purchase CALS or acquire them via EMS/AAD premium/ECS
    • for EVERY person managed
  • 1 EXCEPTION:
    • if you ONLY use the FIM/MIM Sync Engine, you do not need CALs

I hope that this explanation helps you to better understand the FIM/MIM licensing.

Feel free to contact me via any channel if you have any feedback or questions.
Happy licensing!