Microsoft Identity Manager 2016 SP1 and Exchange Online

Enabling Exchange online notification and updating the password used by the Microsoft Identity Manager(FIMService)

 

Scenario: When using the Exchange online email notification integration you prompted to enter your exchange online Email account and the password . In most cases you must update the password and or account in the future an the only way to do this by running change mode install.

 

image

 

Solution: Provide the steps to update the password and email address without having the need to run change mode install

Recently we have also found an issue with the latest hotfix that the MIM PG team is fixing . This issue involves when loading hotfix 4.4.1459.0 the values stored in the registry are cleared thus breaking the Exchange online integration . Below is the current location were we encrypt the password to be used during the exchange online integration

Location : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service

Key:  EncryptedExchangeOnlineAccountPassword

image

 

So now we know the location and the key we then can update the password being used . The first step is we need to login as the FIMService account this was specified during install . This can be easily found in the services.msc looking for “Forefront Identity Manager Service” Name

image

Next we will open PowerShell and do a run as : RUNAS  /user:contoso\MIMService “powershell”

image

Next we need to run the provided script below it will ask you for the username in later release I will add where we update the configuration file. When running the script the first time I did receive an error as in my lab environment I do not have MIMService account local admin so you have 2 options , add as local admin or give the account permission to write to the registry.
image
I prefer the least privilege and give the account the permissions to write to the registry there is a third option and that is to dump the $encrypteddata to notepad and update manually.

image

#O365update.ps1
#author&contributers: David Steadman, Anthony Ho
## RUNAS  /user:contoso\MIMService “powershell”
#Login as mimservice account and then impersonate to update office365 login
#We need to do the following:
#1.    Login as FIMService service account to encrypt the pwd
#2.    Login as someone with local admin privilege to set the value in registry
###############################
Add-Type -AssemblyName System.Security

#$o365user = Read-Host “Please enter office 365 email”
$securePssword = Read-Host “Please enter the password” -AsSecureString
$secureConfirmPassword = Read-Host “Please confirm the password” -AsSecureString

$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePssword)
$password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)

$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureConfirmPassword)
$confirmPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)

if ($password -ne $confirmPassword) {
throw “Password does not match”
}

# Convert a plain text string to a character array
# and cast it to a byte array.
$bytes = [System.Text.Encoding]::Unicode.GetBytes($password)

# Encrtyped the byte array.
$encryptedBytes = [System.Security.Cryptography.ProtectedData]::Protect(
$bytes,
$null,
[System.Security.Cryptography.DataProtectionScope]::CurrentUser)

$encryptedData = [Convert]::ToBase64String($encryptedBytes)
Write-Host “Encrypted Password” -ForegroundColor Cyan
Write-Host ($encryptedData) -ForegroundColor DarkGreen
Set-ItemProperty -Path HKLM:”\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service” -Name EncryptedExchangeOnlineAccountPassword -Value $encryptedData

David Steadman has written 39 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>