Working simultaneously with multiple user accounts in O365

Mongo

When you have Windows Integrated Authentication (WIA) turned on for the ADFS server and it is included in the Local Intranet site in IE settings you will always get automatically logged on as the currently logged on user regardless of who you attempt to log on as.

 

So let’s say you have an admin account in O365 called Super-Man@Contoso.com that you want to use for administering O365 while your normal login name is Man@Contoso.com.
You open up an in-private browser window for O365 and enter your login name Super-Man@Contoso.com into the browser window – hoping to get redirected to your ADFS server where you would enter your alternative credentials.
The results: you get redirected to your ADFS server and WIA logs you in as the currently logged on user – Man@Contoso.com.
This is just the flipside of SSO – turning this off to cater for the subset of users that want to use multiple accounts in O365 (typically your admin team) will force all your users to enter credentials specifically rather than use SSO from the current logon credentials.
I.e. you can’t have your cake and eat it*
A quick workaround is to create a shortcut on your desktop that launches a browser using RunAs (f.x. if you have adminaccounts prefixed with Super-):
C:\Windows\System32\runas.exe /user:%userdomain%\Super-%username% “%ProgramFiles%\Internet Explorer\iexplore.exe”

*unless you buy two cakes

Tracing Issued Claims in ADFS

Quick & Dirty scripting tools – the following Powershell script will dump the last X minutes of issued claims on an ADFS server (Assuming Auditing of Issued Claims has been turned on in the AD FS Management MMC).
$timeView=-5
if($Args.count -gt 0) {$timeView=$args[0]}
$StartTime = (Get-Date).AddMinutes($timeView)
$output=Get-WinEvent -FilterHashtable @{
LogName = “Security”;
StartTime = $StartTime;
ID = 501}
$output |fl
“Total issued claims:$($output.Count)  $($timeView) minute view”

Sudden Access Denied in Group Join Approval Workflow in MIM 2016

On a Windows Server 2012 R2 server, running latest version of MIM 2016 on SPS Foundation 2013 with roll-ups; after editing the default Owner Approval workflow I started to get the following error when attempting to Join or Leave any groups with Ownership Approval:

JoinError1Error details:
JoinError2

I cried, then I cried some more.  Then I went and visited Mr. Google (What if Google was a Guy?) and stumbled upon this gem from the Technet forums that turned out to be the resolution… yes, it’s a FIM bug that’s still in MIM… not a feature 🙂

Error message from Event ID 3:

Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.ActivateHost(ResourceManagementWorkflowDefinition workflowDefinition, Boolean suspendWorkflowStartupAndTimerOperations)
at Microsoft.ResourceManagement.Workflow.Hosting.WorkflowManager.StartWorkflowInstance(Guid workflowInstanceIdentifier, KeyValuePair`2[] additionalParameters)

 

When a new approval workflow is created and approval activity is placed in this workflow it contains the following element in a XOML definition:

(…)

xmlns:ns1=”clr-namespace:System.Workflow.Activities;Assembly=System.WorkflowServices, Version=3.5.0.0 (…)

Pre-Edit

Above is from the standard approval workflow delivered with FIM that works out of the box, after editing the standard workflow or in any custom authorization workflow you create it changes to the following:

Post-Edit

(…) xmlns:ns1=”clr-namespace:System.Workflow.Activities;Assembly=System.WorkflowServices, Version=4.0.0.0, (…)

 

JoinSuccess1

…Editing the XOML in Extended Attributes and changing it back to 3.5.0.0 and saving the workflow resolves the issue.  The bad news is it breaks again the next time you do any editing of the workflow 🙁

 

Details:

https://social.technet.microsoft.com/Forums/en-US/1b76672d-1276-4c71-b9fc-5bb1fcb36877/event-id-3-with-approval-activity?forum=ilm2