PCNS and Kerberos S4U2Self updating lastLogonTimestamp

While trying to decommission a legacy user domain that was a target for MIM password synchronisation, I noticed that lastLogonTimestamp was being updated whenever a password was changing in another connected forest. It turns out this was because we still had PCNS on Domain Controllers in the legacy forest (for bi-directional password sync), and a ‘feature’ of PCNS is to update lastLogonTimestamp due to a Kerberos S4U2Self network logon. Note that this is still governed by the ‘ms-DS-Logon-Time-Sync-Interval’ attribute (default 14 days) providing a window so that LLT isn’t updated *every* time you log on, only as soon as you fall out of the time sync window.

I poked around a little and I believe this occurs because the pcnssvc.exe calls the AuthzInitializeContextFromSid() function, which appears to perform a network logon of the target user to grab information from the token. This uses the Kerberos 2003 extensions for S4U (service for user). This made it invalid to use lastLogonTimestamp as a mechanism to determine whether accounts are still being logged in to, as PCNS was making it seem like they were!

I also think that anything that uses the S4U extensions will exhibit the same behaviour. For example, to do an equivalent in PowerShell, you can create a new windows identity object with only the UPN, which also results in a network logon of the target account:

  new-object system.security.principal.windowsidentity("user@domain.com")

This results in event 4624 network logon on the local machine - which consequently will fail if the target user doesn’t have SeNetworkLogonRight – ‘Access this computer from the network’ right:

  Logon Information:
 Logon Type:  3
 Restricted Admin Mode: -
 Virtual Account:  No
 Elevated Token:  Yes

  Impersonation Level:  Identification

And looking at the Kerberos conversation, after getting a TGT, it ends doing a AP-REQ using the ‘PA-FOR-USER’ S4U2Self structure:

And once the ticket has been acquired, if you use ‘klist tickets’, you’ll see the krbtgt and the S4U ticket (only showing your user, it won’t display the:

References:

AuthzInitializeContextFromSid function
http://msdn.microsoft.com/en-us/library/windows/desktop/aa376309(v=vs.85).aspx AuthzInitializeContextFromSid attempts to retrieve the user's token group information by performing an S4U logon. AuthzInitializeContextFromSid attempts to retrieve the information available in a logon token had the client actually logged on. An actual logon token provides more information, such as logon type and logon properties, and reflects the behavior of the authentication package used for the logon.

WindowsIdentity Constructor (String)
http://msdn.microsoft.com/en-us/library/td3046fc.aspx
This constructor is intended for use on computers joined only to Windows Server 2003 domains. An exception is thrown for other domain types. This restriction is because the constructor uses the KERB_S4U_LOGON structure.

Kerberos S4U2self
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13
The S4U2self extension allows a service to obtain a service ticket to itself on behalf of a user. The user is identified to the KDC using the user's name and realm. Alternatively, the user might be identified based on the user's certificate. The Kerberos ticket-granting service (TGS) exchange request and response messages, KRB_TGS_REQ and KRB_TGS_REP, are used along with one of two new data structures. The new PA-FOR-USER data structure is used when the user is identified to the KDC by the user name and realm name.

Wayne's World of IT (WWoIT). 

Read more!

FIM/MIM XPath queries

Here are a few XPath queries I've built and collected along the way. It's intriguing how powerful and yet still ultimately rather crappy and limiting FIM XPath can be. And if you want a good explanation of why – try using SQL Profiler to see the resultant T-SQL when the FIM service translates what seems like even a simple XPath query with a few conditions (especially if you're using a negative condition).

You can test any of these with the FIMAutomation snap-in, with two simple commands to export the results, then return the displayname from each ($URI points to your resource management service, typically on port 5725):

$objects = Export-FIMConfig -uri $URI -onlyBaseResources -customConfig $filter
$objects.ResourceManagementObject.ResourceManagementAttributes | where {$_.attributename -eq 'DisplayName'} | select value

Query for failed ERE's matching the specified sync rule
$filter = "/ExpectedRuleEntry[DisplayName='AD: SyncRule1' and StatusError = 'ma-extension-error']"

Find groups that have been modified in the last 10 days
$filter = "/Request[Target = /Group[Type = 'Security'] and Operation = 'Put' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P10D'))]"

People with Attribute1 set to Null
$filter = "/Person[(not(starts-with(Attribute1, '%')))]"

All people that are an owner of one or more groups
$filter = "/Person[ObjectID = /Group/Owner]"

Find groups owned by the specified person
$filter = "/Group[DisplayedOwner=/Person[DisplayName='User1']]"

Find groups that have no Owner or displayedOwner
$filter = "/Group[not(Owner = /Person) and not(DisplayedOwner = /Person)]"

Find all people that have an accountName set
$filter = "/Person[AccountName != '&Invalid&']"

Find all anonymous password resets in the last day
$filter = "/Request[Creator = /Resource[ObjectID = 'b0b36673-d43b-4cfa-a7a2-aff14fd90522'] and RequestStatus = 'Completed' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P1D'))]"

Groups in a set that don't have the required ERE
$filter = "/Group[ObjectID = /Set[DisplayName = 'All Security Groups Internal Global Static Owner Approved']/ComputedMember and not(ExpectedRulesList = /ExpectedRuleEntry)]"

SSPR registered internal enabled people
$filter = "/Person[AccountType = 'Person' and AccountStatus = 'Enabled' and Domain = 'CORP' and not(AuthNLockoutRegistrationID = /GateRegistration)]"

People created in the last 8 hours
$filter = "/Person[CreatedTime >= op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration('-PT8H'))]"

Find if the specified person is a member of a group
$filter = "/Person[ObjectID = /Group[DisplayName = 'Group1']/ComputedMember and AccountName = 'User1']"

Find distribution groups owned by the specified person
$filter = "/Group[Type='Distribution' and Owner=/Person[AccountName='User1']]"

How many people have filled out the QA gate in the last 8 hours
$filter = "/GateRegistration[GateID = 'authenticationGateActivity3' and CreatedTime >= op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration('-PT8H'))]"

Find MA data
$filter = "/ma-data"

People with the specified SKU (multi-valued reference)
$filter = "/Person[Office365ServicePlans = /Office365License[SKU ='E3']]"

People with the specified Office 365 plan
$filter = "/Person[Office365ServicePlans = /Office365License[DisplayName ='E3 Office Pro Plus']]"

MPRs referencing a set of requestsors
$filter = "/ManagementPolicyRule[PrincipalSet=/Set[DisplayName='All Service Desk Users']]"

CORP user unabled without CORP outbound ERE
$filter = "/Person[AccountStatus = 'Enabled' and Domain = 'CORP' and not(ExpectedRulesList = /ExpectedRuleEntry[DisplayName = 'AD: CORP Outbound User'])]"

Security Groups that have one or more deleted owners
$filter = "/Group[Type = 'Security' and Owner = /Person[AccountStatus = 'Deleted']]"

Security Groups that have no owner
$filter = "/Group[Type = 'Security' and not(Owner = /Person)]"

People without an account name (null string attribute check)
$filter = "/Person[not(AccountName != '&NotPresent&') and not(DisplayName = 'Built-in Synchronization Account')]"

People without a display name (null string attribute check)
$filter = "/Person[not(DisplayName != '&NotPresent&')]"

Enabled People without a primary domain
$filter = "/Person[AccountStatus = 'Enabled' and not(Domain != '&NotPresent&')]"

Internal Enabled People without a specific attribute set
$filter = "/Person[Domain = 'CORP' and AccountStatus = 'Enabled' and not(Attribute1 != '&NotPresent&')]"

People synchronised to office 365 but without any licenses
$filter = "/Person[SyncTo365 = True and not(Office365ServicePlans = /Office365License)]"

People locked out for SSPR
$filter = "/Person[ObjectID = /Set[DisplayName = 'All People with Internal Accounts enabled']/ComputedMember and (AuthNWFLockedOut = '9c3aca59-a85c-437f-bb67-9ce5a70521d7')]"

Orphaned ERE's that don't have a parent
$filter = "/ExpectedRuleEntry[not(ResourceParent = /Set[DisplayName = 'All Objects']/ComputedMember)]"

Note that a few of these reference a custom object type of Office 365 license (see this post).

Wayne's World of IT (WWoIT). 

Read more!

Exchange Online Provisioning through MIM

In a complex environment, being in an Exchange hybrid configuration for an extended period of time seems largely unavoidable.

In our Exchange Hybrid configuration, even with 99% of all mailboxes moved to Exchange Online, we’re still very reliant on our on-prem processes and automation, and therefore MIM provisioning.

I spent a while working this out, eventually getting the MIM sync engine ADMA Exchange provisioning extensions to handle all provisioning in Exchange Online.  We provision person, shared, equipment and room mailboxes using this method, with and without archives.

Essentially the ADMA Export will run ‘update-recipient’ and create a MailUser of type RemoteMailbox, Subsequent ADConnect synchronisation will flow msExchRemoteRecipientType, triggering Exchange Online to provision mailboxes and archives accordingly.  For us, this was tied in with group-based licensing to ensure that licenses are allocated in a timely manner.

Based on attribute flow, the result will be MIM either provisioning an on-prem mailbox, or a MailUser remote mailbox object.

• MailUser – Flow mailNickname and targetAddress. Target Address is constructed to be accountName@tenant.mail.onmicrosoft.com
• Remote Mailbox – MailUser + msExchRemoteRecipientType, msExchRecipientTypeDetails and msExchRecipientDisplayType will trigger mailbox creation (and archive for people) in Exchange Online, and ensure recipient type details of a remote mailbox with the correct sub-type (eg room, shared).
• On-prem Mailbox only - mailNickname, msExchHomeServerName and homeMDB

Based on an attribute determining where the mailbox should be created, we use a bunch of ugly nested IIF statements in a custom expression in our outbound initial-flow only rules, such as:

Attribute	Expression
mailNickname	accountName
targetAddress	IIF(Eq(MailboxLocation,"Office365"),accountName+"@tenant.mail.onmicrosoft.com",Null())
msExchRecipientDisplayType	IIF(Eq(MailboxLocation,"Office365"),IIF(Eq(accountType,"Person"),-2147483642,IIF(Eq(accountType,"Shared"),-2147483642,IIF(Eq(accountType,"Room"),-2147481850,IIF(Eq(accountType,"Equipment"),-2147481594,-2147483642)))),Null())
msExchRecipientTypeDetails	IIF(Eq(MailboxLocation,"Office365"),IIF(Eq(accountType,"Person"),2147483648,IIF(Eq(accountType,"Shared"),34359738368,IIF(Eq(accountType,"Room"),8589934592,IIF(Eq(accountType,"Equipment"),17179869184,2147483648)))),Null())
msExchRemoteRecipientType	IIF(Eq(MailboxLocation,"Office365"),IIF(Eq(accountType,"Person"),3,IIF(Eq(accountType,"Shared"),97,IIF(Eq(accountType,"Room"),33,IIF(Eq(accountType,"Equipment"),65,1)))),Null())

This equates to:

Account Type	msExchRemoteRecipientType	msExchRecipientTypeDetails	msExchRecipientDisplayType
Shared	1 (provision mailbox)	34359738368	-2147483642
Room	33 (provision mailbox, room)	8589934592	-2147481850
Equipment	65 (provision  mailbox, equipment)	17179869184	-2147481594
Person	3 (provision mailbox + archive)	2147483648	-2147483642

Most of the attribute values were taken from here:

Recipient Type Values

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon-mso_o365b/recipient-type-values/7c2620e5-9870-48ba-b5c2-7772c739c651

Read more!

Finding where a user is logging on from

For years I’ve been using a doskey macro I created to Find a User.

In an enterprise environment, the logic is:

• Every normal user account has their home server mapped automatically, establishing a persistent SMB session with the home server from their workstation 
• Find the home server and query it to find the where the user is connecting from 
• Resolve the address and report who is connecting from where.

A few limitations:

1. This will only work if the home server is a Windows box 
2. You will need permissions to query win32_serversession of the home remotely (typically admin) 
3. If the person is connecting over Citrix or DirectAccess or another jump box, it will resolve to that source, instead of (or sometimes as well as) a workstation.

A quick PowerShell equivalent (with zero error checking):

function Find-User ($username) {
  $homeserver = ((get-aduser -id $username -prop homedirectory).Homedirectory -split "\\")[2]
  $query = "SELECT UserName,ComputerName,ActiveTime,IdleTime from win32_serversession WHERE UserName like '$username'"
  $results = Get-WmiObject -Namespace root\cimv2 -computer $homeServer -Query $query | Select UserName,ComputerName,ActiveTime,IdleTime
  foreach ($result in $results) {
    $hostname = ""
    $hostname = [System.net.Dns]::GetHostEntry($result.ComputerName).hostname
    $result | Add-Member -Type NoteProperty -Name HostName -Value $hostname -force
    $result | Add-Member -Type NoteProperty -Name HomeServer -Value $homeServer -force
  }
  $results
}

# Find one or more users
$users = "user1", "user2", "user3"
$users | % {Find-User $_} | ft -wrap -auto

# Find the members of a group
get-adgroupmember -id SG-Group1 | % {Find-User $_.samaccountname} | ft -wrap -auto

The original (and still the best) doskey macro:

FU=for %g in ($1 $2 $3 $4 $5 $6 $7 $8 $9) do @for /f "tokens=2 delims=\" %i in ('"dsquery user -samid %g | dsget user -hmdir | find /i "%g""') do @for /f "skip=1 tokens=1-3" %m in ('"wmic /node:"%i" path win32_serversession WHERE "UserName Like '%g'" Get ComputerName,ActiveTime,IdleTime"') do @for /f "tokens=2" %q in ('"ping -a %n -n 1 | find /i "pinging""') do @echo %q %g %n %i %m %o

Create the macro above with doskey:

doskey /listsize=1000 /macrofile=c:\util\macros.txt
FU user1

Wayne's World of IT (WWoIT). 

Read more!

Querying ERE's from the fimservice database

I occasionally review the EREs floating about the system - the expected rule entries used to put objects in scope of traditional OSR sync rules - either to try and identity and clean-up orphans or just provide some stats.

There are two easy ways listed below to get this from the fimservice database - the first is the quick/dirty way, the second is the proper but very slow way.

This information is also available in the sync engine, but as they originate from the fim service it seems better to query from there.

/* ERE count from the MIM database, just found some object types and keys that looked correct. SQL takes seconds, PowerShell takes approximately forever with the FIMAutomation snap-in */

SELECT OVS.ValueString, Count(OVS.ValueString) 
FROM Fim.Objects OBJ
inner join fim.ObjectValueString OVS on OBJ.ObjectKey = OVS.ObjectKey
WHERE OBJ.ObjectTypeKey = 11
and OVS.AttributeKey = 66
group by OVS.ValueString

The slow (but supported) method, using the FIMAutomation snap-in

# Add the FIMAutomation snap-in
Add-pssnapin fimautomation

# The URI of your fim service endpoint
$uri = "http://fim01:5725/ResourceManagementService"

# Construct an output file based on today's date
$outputFile = "c:\temp\EREs_$([DateTime]::Now.ToString("yyyyMMdd")).csv" 

# All ERE's
$filter = "/ExpectedRuleEntry"

# Filter by a specific starts-with wildcard
#$filter = "/ExpectedRuleEntry[starts-with(DisplayName, 'AD: ')]"

# Filter by a specific sync rule name
#$filter = "/ExpectedRuleEntry[DisplayName = 'AD: CORP Inbound/Outbound User']"

# Export based on the filter
$objects = Export-FIMConfig -uri $URI -onlyBaseResources -customConfig $filter

# Group by displayname for a count per-sync rule
$objects.ResourceManagementObject.ResourceManagementAttributes | where {$_.attributename -eq 'DisplayName'} | select value | group-object -prop value | select count,name | ft -wrap -auto

# Export some details to CSV
$results = foreach ($object in $objects) {
  write-output "out" | select @{N='DisplayName';E={($object.ResourceManagementObject.ResourceManagementAttributes | where {$_.attributename -eq 'displayName'}).Value}},
                          @{N='CreatedTime';E={($object.ResourceManagementObject.ResourceManagementAttributes | where {$_.attributename -eq 'CreatedTime'}).Value}},
                          @{N='ObjectID';E={($object.ResourceManagementObject.ResourceManagementAttributes | where {$_.attributename -eq 'ObjectID'}).Value}} 
}
$results | export-csv -path $outputFile 

Wayne's World of IT (WWoIT). 

Read more!

Office 365 licensing through MIM

This one is a few years old, but I haven’t seen anything similar so I thought I may as well share some information on a solution I put in place with MIM to manage Office 365 license and service plan allocation.

In summary:

1. Create a new object class in MIM for Office 365 service plans, and an instance for each sku/service plan.
2. Add a multi-valued reference attribute to each user to store which service plans are allocated
3. Create a new MV class and attributes and flow the data from the FIM MA into the metaverse.  This is only if you need the data in the MV (I exported this data to a SQL database MA for a script we were using before group-based licensing)
4. Create a new tab in the user editing RCDC to select Service Plans, delegated to whoever manages license allocation
5. Create a policy to allocate a default set of Service Plans during user provisioning
6. Create criteria-based groups exported out to AD and synchronised to AAD to use Azure Group-Based Licensing.

This provided a nifty way for us to delegate and control SKU’s down to the individual service plans.  This fit into our MIM-centric view of the world and tied in with our MIM reporting and delegation models.

Create FIM Resources, attributes and binding

Resource type to store office 365 license objects:

System Name	Office365License
Display Name	Office 365 License
Description	Office 365 and Azure AAD Licenses

New attribute for SKU, bound to Office365License

 

Object Type	System/Display Name	Type	Multi-valued	Description
Office365License	SKU	Indexed String	No	Office 365 SKU

Multi-valued reference property bound to users:

 

Object Type	System Name	Display Name	Type	Multi-valued	Description
Person	Office365ServicePlans	Office365 Service Plans	Reference (DN)	Yes	{None}

Note that there is no explicit link between the user bound attribute and the new resource type – technically any reference ID can be stored in the service plans attribute.  We are relying on the RCDC Filter to control which references are stored in this attribute.

Add an Office365 licensing tab to the user editing/creation RCDC

Add the following grouping.  Note that the binding source for the creation RCDC must be schema, rather than object as below (editing):

    <my:Grouping my:Name="Office365LicensesGroup" my:Caption="Office365" my:Enabled="true">

      <my:Control my:Name="SyncTo365" my:TypeName="UocCheckBox" my:Caption="{Binding Source=schema, Path=SyncTo365.DisplayName}" my:Description="{Binding Source=schema, Path=SyncTo365.Description}" my:RightsLevel="{Binding Source=rights, Path=SyncTo365}">

        <my:Properties>

          <my:Property my:Name="Required" my:Value="{Binding Source=schema, Path=SyncTo365.Required}"/>

          <my:Property my:Name="Text" my:Value="Synchronised to Office 365"/>

          <my:Property my:Name="Checked" my:Value="{Binding Source=object, Path=SyncTo365, Mode=TwoWay}"/>

        </my:Properties>

      </my:Control>

      <my:Control my:Name="Office365Licenses" my:TypeName="UocListView" my:Caption="Office 365 Licenses" my:Description="Office 365 Licenses." my:RightsLevel="{Binding Source=rights, Path=Office365ServicePlans}">

        <my:Properties>

          <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Description,SKU" />

          <my:Property my:Name="EmptyResultText" my:Value="There are no licenses available for this person." />

          <my:Property my:Name="ResultObjectType" my:Value="Office365License"/>

          <my:Property my:Name="PageSize" my:Value="10" />

          <my:Property my:Name="ShowTitleBar" my:Value="false" />

          <my:Property my:Name="ShowActionBar" my:Value="false" />

          <my:Property my:Name="ShowPreview" my:Value="false" />

          <my:Property my:Name="ShowSearchControl" my:Value="false" />

          <my:Property my:Name="EnableSelection" my:Value="true" />

          <my:Property my:Name="SingleSelection" my:Value="false" />

          <my:Property my:Name="SelectedValue" my:Value="{Binding Source=object, Path=Office365ServicePlans, Mode=TwoWay}"/>

          <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog" />

          <my:Property my:Name="ReadOnly" my:Value="false" />

          <my:Property my:Name="ListFilter" my:Value="/Office365License" />

        </my:Properties>

      </my:Control>   

</my:Grouping>

 For example, the RCDC results in an ‘Office365’ tab for license allocation (and we also control synchronisation in this way)

Recycle the SharePoint app pool

$sharepoint
= Get-WMIObject -Computer "mim01 " -Namespace root\MicrosoftIISv2
-Authentication PacketPrivacy  -Query
"SELECT * from IIsApplicationPool where name = 'W3SVC/APPPOOLS/SharePoint
- 80'"
$sharepoint.recycle()

Create Office 365 licensing objects and allow sync to MV

 Set for access:

• All Office 365 Licenses

Create FIM MPRs to allow synchronisation

 

DisplayName	Synchronization: Synchronization account can read Office365Licenses it synchronizes
Description	Policy to allow synchronisation of Office365License objects
Type	Request
Requestor	Synchronization Engine
Operation	Read
Permissions	Grant
Target Resource Set	All Office 365 Licenses
Resource Attributes	All Attributes

  

DisplayName	Synchronization: Synchronization account controls Office365Licenses it synchronizes
Description	Policy to allow synchronisation of Office365License objects
Type	Request
Requestor	Synchronization Engine
Operation	Modify
Permissions	Grant
Target Resource Set	All Office 365 Licenses
Resource Attributes	All Attributes

Note that the modify policy above is required otherwise a’ failed-modification-via-web-services ‘ export error will occur: while exporting MVObjectID

Fault Reason: Policy prohibits the request from completing, Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException

Create FIM MPRs for administrative access

Allow add/delete grant permissions to the set above:

 

Name	Administration: Administrators can control Office 365 licenses
Requestors	Administrators
Operation	Create, Delete, Add, Remove, Modify
Grants Permission	Yes
Target Resource Before	All Office 365 Licenses
Target Resource After	All Office 365 Licenses
Resource Attributes	All Attributes

 

Name	Administration: Administrators can read and update Users
Requestors	<No Change>
Operation	<No Change>
Grants Permission	<No Change>
Target Resource Before	<No Change>
Target Resource After	<No Change>
Resource Attributes	Add ‘Office 365 Service Plans’

Add the new object to the sync to the metaverse

Modify the All Resource | Synchronization Filter:

Synchronization Filter

Add Office365License

Create a new PowerShell session – the following error may be returned using an existing session:

Error= System.InvalidOperationException: Operation is not valid due to the current state of the object.

For example, create some EMS and E1 Service Plans, grouped by SKU:

 

DisplayName	Description	SKU
MFA	Azure Multi-factor authentication	EMS
Intune	Intune	EMS
RMS	Azure Active Directory Rights Management	EMS
Yammer	Yammer	E1
Sway	Sway	E1
Lync	Lync Online	E1
SharePoint	SharePoint Online	E1
Exchange	Exchange Online	E1

 Ensure a CSV file with the above table exists:

$licenses =
import-csv -path c:\temp\licenses.csv
 
foreach
($license in $licenses) {   
 
  #write-output "DisplayName:
'$($license.DisplayName)', Description: '$($license.Description)', SKU
'$($license.SKU)'"
  . .\CreateOffice365License.ps1 -displayName
$license.DisplayName -description $license.Description -sku $license.SKU
}

Create metaverse object class

 office365License:

Object Type	AttributesName
office365License	displayName description sKU csObjectID

 

Object Type	AttributeName	Type	Multi-valued	Indexed
office365License	sKU	String (indexable)	No	No

 person:

 

Object Type	AttributesName	Type	Multi-valued	Indexed
person	office365ServicePlans	Reference (DN)	Yes	No

 FIM MA:

Refresh Schema
Select Object Types	Office365License
Select Attributes	SKU, Office365ServicePlans
Object Type Mapping	Office365License -> office365License
Attribute Flow	office365License: Add SKU -> sKU Add DisplayName -> displayName Add Description -> description Remove ExpectedRulesList Remove DetectedRulesList
Attribute Flow	Person Add import Office365ServicePlans -> office365ServicePlans

Synchronise Office 365 licenses from FIM to the metaverse

1. Run FIM Full Import and Full Sync
2. FIM Export
3. FIM Full Import and Full Sync

 

Read more!