In addition to creating groups and users in the privileged forest, you will have to define a PAM role. A PAM role defines the PAM role name, the expiry time (TTL) and candidate users for this role. This could be defined in both MIM portal and by PowerShell. The following screenshots shows what it looks like in the portal:
The second step is about privileged access step-up : when someone wants to use a privileged access, she first has to step-up, this means obtaining the actual access privileges for a resource. This could be done by a PowerShell command-let or by using a new GUI that could be developed by using MIM's new PAM REST API (The PAM REST API will be available in later CTPs). Under the hood, in the privileged forest, the system populates the right privileged group with the right privileged user. However, unlike in standard security groups, the access privileges will not stay there forever. The group membership and the high privileges will automatically be removed accordingly, after a pre-configured amount of time. This is a major part of our privileged access protection, called Just-In-Time (JIT) step-up. In the following screen shot, you can see what the elevation PowerShell command-let looks like:
New in this CTP: Password Reset with Azure MFA To make the SSPR with MFA story short, you can watch this video demo. In FIM 2010 R2, the self-service password reset (SSPR) enabled two authentication gates:
For the IAM admin, lighting up this functionality is easy as adding an action to the SSPR flow, see this screenshot:
Note: AAD also has an SSPR functionality, some further details are here . New in this CTP: Updates to Certificate Manager To make the CM modernization story short, you can watch this video demo. We have introduced a new Windows Store style application (modern windows application) that enables you to accomplish self-service tasks that have to do with smart cards, virtual smart cards, and certificate management. So, for example you can enroll yourself a new virtual smart card in just a few clicks. You can also renew, reset the certificate PIN (unblock your smart card) or delete a certificate/smartcard. This is what it looks like:
In addition, the modern windows application functionality relies on a new REST API. The new CM REST API can be used not only for the modern app, but also do develop your own CM customized portal. The REST API is protected by OAuth2, and the access to the API can be authenticated by AD FS. Also, you can now require strong authentication to log onto the app, so the end- users will need more than a username and password to install a virtual certificate. . The new CM REST API enables another important scenario. An information worker can now enroll a new certificate/virtual smart card even when she his device is not domain joined. This brings me to a personal story: Last weekend on my way to TechEd, my virtual smart card had expired, so I could not authenticate to my VPN, and therefore could not renew my virtual smart card (and therefore could not authenticate to my VPN…got it?) Immediately I recalled that I take part of our internal CM Windows Store app preview, so I have used it to renew my virtual smart card, and gained back VPN access. Isn't this awesome? New in CTP2: Modernized Supported Platforms In addition to the new capabilities, we have extended out platform support matrix to:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.