MIM Portal & Application Context Authentication

The intention of this write-up is that you are modifying MIM Portal to switch email notifications to use the Application Context Authentication method as opposed to an SMTP relay or other method that uses a log on name and password. Basic Authentication will be deprecated somewhere around October 2022.  A Modern Authentication needs to be used by then.  This write-up addresses that need.

Prerequisites

• MIM Portal version 4.6.421 is the minimum needed.
  • Visit https://www.microsoft.com/en-us/download/details.aspx?id=102887
    • This is the full install file not the hotfix. 
  • Other Hotfixes can be found at https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/version-history
    • If you choose to install 4.6.421 as a hotfix you will need to further configure MIM Service later.
• Verify that the MIM Service account has an Office 365 license
• If using a different account for the Service Email account, verify that it has an Office 365 license as well.
• Create an Application in Azure AD App Registrations for the authentication part. See https://docs.microsoft.com/en-us/microsoft-identity-manager/install-mim-service-portal-azure-ad-premium#registering-application-using-a-powershell-script
  • When running the script, you will get prompted to log in to Azure. A Global Admin and an Exchange Admin will need to be used. You may get prompted once for the Azure AD account and a second time for the Exchange Admin. The MIM Install account does not have to be used.
  • At the end of the script process, be sure to copy the Application ID, Tenant ID, and Client Secret values that are returned to a file before closing the Window.  All three will be needed. 
  • Create-MIMMailboxApp.ps1 script can be found at C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Scripts. If you do not have the scripts you can download them from https://www.microsoft.com/en-us/download/details.aspx?id=10288 and choose Scripts.zip from the download options.

Modify the MIM Service/Portal Configuration

For an existing installation of MIM Portal, access the registry at:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{…}

• Search through the list of Registry Key’s to find Microsoft Identity Manager Service and Portal.
• Locate the UninstallString value and copy the Data information.

Open an Elevated Command Prompt and paste the registry data. 

• To create a log entry for the configuration do the following:
  • At the end of the copied data, add “/lvxi* c:\directory\logfile.log”

Run through the Configuration

After executing the msiexec string in the previous section, follow along the install steps outlined at:

Install Microsoft Identity Manager Service and Portal for Azure AD Premium customers | Microsoft Docs

In Step 2, skip the part about the elevated cmd prompt since you began with the UninstallString data.

Starting at the Welcome Screen, click Next.

• From the Change, repair, or remove installation screen click Change. Click Next.

• At the step below choose Office 365 and then Application Context Authentication. Click Next.

• When you arrive at the Configure Common Services screen, populate the fields with the saved Application ID, Tenant ID, and Client Secret from earlier. Click Next.

• A few screens later you will encounter another screen.  You will need to type the password of the MIM Service account.  The Service Email Account will not require a password at this point but an email address format used in the image will be required. Click Next.

• Finish clicking through the remaining screens.  Click Install when finished making changes.

Check Event Logs

After doing the install, check the Event Viewer.  Navigate to Custom Views | Administrative Events.

You should see Event ID 12 Source Microsoft.ResourceManager

The Forefront Identity Manager Service cannot connect to the Exchange Web Service.

The connection failure may be due to a network failure, firewall configuration error, or other connection issues. Additionally, the failure may be due to incorrect Exchange Web Service configuration.

Verify that the Exchange Web Service is reachable from the Forefront Identity Manager Service computer. Ensure that Exchange is running, that the network connection is active, and that the firewall is configured properly. Last, ensure that the Exchange Web Service configuration is correct in the Microsoft.ResourceManagemenet.Service.exe.config file.

Additionally, if you enable a Trace on MIM Service you see:

Could not get access token for office365 mailbox. Probably registry value is empty because token was not obtained.  Please ensure that mailbox configuration is valid and restart service.

NOTE: From MIM Portal version 4.6.607, this error will appear in the Application log in Event Viewer.

Additional Configurations Changes

TLS 1.2 and Strong Ciphers will be needed for everything to work properly.

Disable TLS 1.0 and 1.1, then Enable TLS 1.2.    See https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor#enable-tls-12-on-client-or-server-operating-systems-

Essentially in PowerShell it will look like this:

Disable TLS 1.0

Disable TLS 1.1

Enable Strong Cipher for older .Net Framework

All the PowerShell code listed above for TLS and Strong Ciphers can be written as one PowerShell file and run.  This will reduce implementation of the entire process significantly.

Azure ID storage locations

It is important to note that certain registry locations store the Azure-specific information (e.g., Tenant ID, Application ID, Client ID)

HKLM:\SOFTWARE\ Microsoft\Forefront Identity Manager\2010\Service

Check out EncryptedExchangeOnlineClientSecret (NOTE, this not the actual clientsecret), ExchangeOnlineApplicationID, and ExchangeOnlineTenantID.

O365 Access Token gets written to this location:

HKU:\MIMService_SID\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service

• You will need to look up the mimservice account SID on the server.  From an elevated cmd prompt type:  wmic useraccount get name, sid