none
MIM Hybrid Reporting - Azure Password Reset Activity Report does not show Failed audit events RRS feed

  • Question

  • Is it expected for the QA Password Reset AuthN Workflow to end in a Terminated state because of an exception, if the questions are answered incorrectly?

    Is anyone using Hybrid reporting and seeing all their failed events uploaded?

    Because...

    We have Deployed Microsoft Identity Manager 2016 SP1 on Windows Server 2012 R2 and the Microsoft Identity Manager Hybrid Report Agent and the MIM Extensions to our clients to enable SSPR.

    The agent is installed successfully and events are being shipped to Azure and appearing in the Password Reset Activity Report.  However, while the report contains all SUCEEDED events, only ONE of the many tested FAILED events appear in Azur, as seen using the Classic Portal, under the "Subscription Reports - Password Reset Activity - Source = Identity Manager.

    Looking at the "Identity Manager Request Log"  on the on premise server, I can see that there are 4121 Events written to the log for unsuccessful events, however, these events are not being shipped to Azure.

    This reporting is required to provide an audit trail of users’ successful and unsuccessful attempts to undertake SSPR.

    Looking at the JSON data in the 4121 event that is consumed by the Hybrid Reporting Agent, there is an Exception logged, I wonder if the event is mangled and that is why the agent is failing to upload it?  There is a corresponding Event ID 2 in the FIM Event log "Exception of type 'System.Workflow.ComponentModel.WorkflowTerminatedException' was thrown."

    The following is extracted from the parsed JSON in the 4121 event of the FAILED events that are not uploaded :

       DisplayName : Password Reset AuthN Workflow
       ObjectType : WorkflowInstance
       WorkflowStatus : Terminated
       WorkflowStatusDetail : EXCEPTION DATA\\r\\n\\r\\nMESSAGE: Exception of type    'System.Workflow.ComponentModel.WorkflowTerminatedException' was thrown.\\r\\n\\r\\n"

    While troubleshooting this over the last few days, I have discovered the Azure AD Reporting API and by using an example script for auditing and rooting through the Azure AD Graph API have been able to show that we do have 4121 "Failed" events in the event log that are not being uploaded to Azure.

    The difference between the event that is uploaded and the events that are not uploaded is the status of the Password Reset Workflow.  For the event that is uploaded, the workflow is in the "completed" state.  All other Failed events are in the Terminated state, due to experiencing the exception shown.

    I enabled MIM tracing, which is new to me, this appears to be where the exception is thrown and the workflow terminated:

    "Query: QueryProcessor.ExecuteQuery.ExecuteReader.Enter"
    "Query: QueryProcessor.ExecuteQuery.ExecuteReader.Exit"
    "Request 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074' updates have been persisted to permanent storage."
    "Workflow Instance 'c50c3e4b-0e0b-4eae-8083-db8e5b44bcbc' [Description: ] recorded the following event: Persisted at 08/12/2016 16:50:31."
    "XPathDialectParser.ParseXPathExpression.Enter(/Request[ObjectID='d29d0b6d-32bc-466a-99cd-e4e6cc0de074'])"
    "XPathDialectParser.Enumerate.BuilderResult(/Request[ObjectID = 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074'])"
    "XPathDialectParser.ParseXPathExpression.Exit(/Request[ObjectID = 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074'])"
    "Query: QueryProcessor.ExecuteQuery.ExecuteReader.Enter"
    "Query: QueryProcessor.ExecuteQuery.ExecuteReader.Exit"
    "The authentication workflow instance was in an unexpected state: Terminated"
    "Workflow Instance 'c50c3e4b-0e0b-4eae-8083-db8e5b44bcbc' status 'Terminated' has been committed to permanent storage. Exception: 'EXCEPTION DATA\r\n\r\nMESSAGE: Exception of type 'System.Workflow.ComponentModel.WorkflowTerminatedException' was thrown.\r\n\r\n'."
    "Current request cache does not contain request 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074'."
    "XPathDialectParser.ParseXPathExpression.Enter(/Request[ObjectID='d29d0b6d-32bc-466a-99cd-e4e6cc0de074'])"
    "XPathDialectParser.Enumerate.BuilderResult(/Request[ObjectID = 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074'])"
    "XPathDialectParser.ParseXPathExpression.Exit(/Request[ObjectID = 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074'])"
    "Query: QueryProcessor.ExecuteQuery.ExecuteReader.Enter"
    "Query: QueryProcessor.ExecuteQuery.ExecuteReader.Exit"
    "Request 'd29d0b6d-32bc-466a-99cd-e4e6cc0de074' updates have been persisted to permanent storage."
    "HostActivator refreshing active host cache."
    "HostActivator finished refreshing active host cache."
    "Post Processing Manager is checking Requests for completion."
    "The scan to check for Completed Requests started with Request Key '37073' and ended at Key '0'."
    "Post Processing Manager has finished checking Requests for completion.

    ---

    Thank you,

    Alastair.

    Friday, December 9, 2016 8:44 AM