Closed chadht closed 1 year ago
Hi @chadht
We've done away with dynamic groups in v2, so this shouldn't be an issue going forward. But I can certainly see why it would be an issue. v2 uses its own internal scheduler to add and remove users from the group directly when their JIT access expires. We're not far away from release now, and you can check out the preview build if you like.
Hi Ryan,
Thanks for your quick response and the link for the preview version!
For my current setup do you know why on the JIT mode screen it says the domain functional level is Server 2008 when I'm using version 2019? Would enabling the PAM feature resolve my dynamic group transient object issue? Is there a way to remove what I have set for the dynamic group container or would I need to select a new path/OU? Thanks again for your help.
@.***
Chad Tidgewell IT Security | HCPSS
The information contained in this email transmission is privileged and/or confidential and is intended solely for the exclusive use of the individual addressee. If you are not the intended addressee, you are hereby notified that any retention, disclosure, or other use is strictly prohibited. If you have received this email in error, please contact the sender immediately and delete the material.
From: Ryan Newington @.> Sent: Tuesday, September 13, 2022 5:06 PM To: lithnet/access-manager @.> Cc: Chad H. Tidgewell @.>; Mention @.> Subject: [External] Re: [lithnet/access-manager] Transient objects created in Azure Active Directory (Issue #173)
! CAUTION: This email originated from outside of HCPSS. Do not click links or open attachments, unless you recognize the sender and know the content is safe.
We've done away with dynamic groups in v2, so this shouldn't be an issue going forward. But I can certainly see why it would be an issue. v2 uses its own internal scheduler to add and remove users from the group directly when their JIT access expires. We're not far away from release now, and you can check out the preview build ifhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flithnet%2Faccess-manager%2Freleases%2Ftag%2Fv2.0.9004-preview3&data=05%7C01%7Cchad_tidgewell%40hcpss.org%7Cfae342e22c134ed7184a08da95cbc80f%7C96a9ac4c477e4dada2b28ad3fc46790b%7C1%7C0%7C637986999740922281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=q0j9jsA%2BDuMzoODwYw9LXdpNZzS882O1cLLl9qmwfzE%3D&reserved=0 you like.
- Reply to this email directly, view it on GitHubhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flithnet%2Faccess-manager%2Fissues%2F173%23issuecomment-1245954028&data=05%7C01%7Cchad_tidgewell%40hcpss.org%7Cfae342e22c134ed7184a08da95cbc80f%7C96a9ac4c477e4dada2b28ad3fc46790b%7C1%7C0%7C637986999740922281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rMpI5UTbzHM4RnXdQZ0X1rPDibGMESZIQ96ARoEXz5E%3D&reserved=0, or unsubscribehttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAQYVUW4DNSD3U5T3GB675YDV6DUEDANCNFSM6AAAAAAQLUVLEU&data=05%7C01%7Cchad_tidgewell%40hcpss.org%7Cfae342e22c134ed7184a08da95cbc80f%7C96a9ac4c477e4dada2b28ad3fc46790b%7C1%7C0%7C637986999740922281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PMq9GVdk%2F1mMRI3cfiC4ktLRzOSOqmQCbVWT2DNYJ40%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.**@.>>
The domain functional level must be manually raised.
Once you raise the DFL to say server 2016, that means from that point on, you can only have 2016 or later domain controllers. So it's a manual step because it's a one-way trip.
However to make the most of new AD features, you need to raise your DFL.
The PAM feature is the superior JIT option, and if you have the ability to turn it on, I'd highly recommend it. Restart AMS once you've raised the DFL and enabled the optional feature, and AMS will automatically detect PAM support and start using it.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.
Unable to remove JIT group from Azure Active Directory
The temporary group created by JIT is removed from Active Directory after the time expires but remains in Azure Active Directory as a transient object and requires a full sync to remove the group. Has anyone experienced this?
Thanks, Chad