This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.
First published on MSDN on Aug 18, 2015So here’s a little bit of additional functionality you can bring into your FIM with a little bit of customization. Today’s topic, ladies and gentlemen, is ActiveSync and Outlook Web Access (OWA) and how to bring them into (and manipulate them with) FIM. Scenario: a user goes on extended leave (for months, perhaps). They are not terminated and their email has not been cut off. However, since they are on leave, maybe we want to restrict access to it (such as on a mobile device or via the web interface). By disabling ActiveSync and/or OWA, we have limited their email access while away, but have assured all their email will be sitting there happily waiting on their return.
It is worth noting that this functionality makes use of a custom PowerShell workflow activity (not included).
To begin, we’ll need to create a couple of custom attributes in the Metaverse and portal, as well as a couple of associated bindings. While I’m not going to get into that, a detailed discussion of the process can be found here.
Rather than step through the whole process, I’ll get right to the meat and potatoes:
Attributes:
And bindings:
Next, we’ll need to create a couple of sets to grab the affected user objects. Then, we’ll need workflows to handle the disabling. Finally, we’ll need some management policy rules to fire them off. Again, I won’t go into detail, but a thorough write up of sets can be found here .
Workflow tutorial can be found here.
And discussion of management policy rules (MPRs) can be found here.
The sets:
The workflows:
And the MPRs:
Now, to this point, we have effectively created everything necessary to disable ActiveSync and/or OWA. But what about the re-enabling? The good news here is we can save a few steps. Rather than create new sets, we can reuse the existing ones and configure our MPRs to fire on transition out rather than transition in . In similar fashion, the Powershell from our workflows can be recycled (only a single word need be changed) saving us some time.
Enabling workflows:
And enabling MPRs:
Finally, you may wish to modify your user edit RCDC to include the two new attributes. RCDC tutorial can be found here .
And finally, the finished product:
Aren’t those attributes sweet? Check a box, turn off functionality. And since we’re relying on PS to do the work for us, we do not have to wait on the next sync cycle for changes to take effect. How cool is that?