Enabling Exchange online notification and updating the password used by the Microsoft Identity Manager(FIMService)
Scenario: When using the Exchange online email notification integration you prompted to enter your exchange online Email account and the password . In most cases you must update the password and or account in the future an the only way to do this by running change mode install.
Solution: Provide the steps to update the password and email address without having the need to run change mode install
Recently we have also found an issue with the latest hotfix that the MIM PG team is fixing . This issue involves when loading hotfix 4.4.1459.0 the values stored in the registry are cleared thus breaking the Exchange online integration . Below is the current location were we encrypt the password to be used during the exchange online integration
Location : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service
Key: EncryptedExchangeOnlineAccountPassword
So now we know the location and the key we then can update the password being used . The first step is we need to login as the FIMService account this was specified during install . This can be easily found in the services.msc looking for “Forefront Identity Manager Service” Name
Next we will open PowerShell and do a run as : RUNAS /user:contoso\MIMService “powershell”
#O365update.ps1
#author&contributers: David Steadman, Anthony Ho
## RUNAS /user:contoso\MIMService “powershell”
#Login as mimservice account and then impersonate to update office365 login
#We need to do the following:
#1. Login as FIMService service account to encrypt the pwd
#2. Login as someone with local admin privilege to set the value in registry
###############################
Add-Type -AssemblyName System.Security#$o365user = Read-Host “Please enter office 365 email”
$securePssword = Read-Host “Please enter the password” -AsSecureString
$secureConfirmPassword = Read-Host “Please confirm the password” -AsSecureString$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePssword)
$password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureConfirmPassword)
$confirmPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)if ($password -ne $confirmPassword) {
throw “Password does not match”
}# Convert a plain text string to a character array
# and cast it to a byte array.
$bytes = [System.Text.Encoding]::Unicode.GetBytes($password)# Encrtyped the byte array.
$encryptedBytes = [System.Security.Cryptography.ProtectedData]::Protect(
$bytes,
$null,
[System.Security.Cryptography.DataProtectionScope]::CurrentUser)$encryptedData = [Convert]::ToBase64String($encryptedBytes)
Write-Host “Encrypted Password” -ForegroundColor Cyan
Write-Host ($encryptedData) -ForegroundColor DarkGreen
Set-ItemProperty -Path HKLM:”\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service” -Name EncryptedExchangeOnlineAccountPassword -Value $encryptedData
Hey David, I know this is a bit late but is having the FIM Service account a requirement to be able to send email notifications to Exchange Online? I cannot find a basic guide on minimum requirements. I can send email the old way pre-Office365, but I keep getting connection issues to the Exchange Web Service when I try to use Exchange Online. Thoughts?
What error are you receiving?