What's New in Adaxes 2021.1

---

For this release, we decided to elevate Adaxes on all fronts – we have added a password self-service client for macOS, REST API, application authentication in Microsoft 365, a number of security and automation improvements, you name it. All this and a myriad of other features await you in the new version.

To help you discover everything, here's more about what's new in Adaxes 2021.1.

Password self-service for Mac

The beloved feature that allows self-resetting passwords from the login screen is now also available for macOS users.

It works in a similar fashion to the self-service password reset for Windows users – you install a client application on domain-joined Macs, and the users become empowered with the ability to reset their account passwords directly from the login screen!

For more information about the self-service client and details on how to deploy it, see the Self-Service Client installation guide.

REST API

We have added a REST API that enables you to communicate with Adaxes over HTTP.

Adaxes REST API documentation

The API simplifies integration between Adaxes and third-party software, for example, HR systems that can send HTTP requests. You can also create your custom applications that will perform operations in Active Directory, Exchange, and Microsoft 365 via Adaxes, and benefit from features like business rules, or property patterns.

For example, you can send an HTTP request to add a group member through Adaxes, and it will trigger all Before/after adding a member to a group business rules:

$member = "CN=John Smith,CN=Users,DC=example,DC=com"
$group = "CN=My Group,OU=Groups,DC=example,DC=com"
$requestUrl = "https://host.example.com/api/directoryObjects/groupMembers"
$requestBody = ConvertTo-Json @{
    "group" = $group;
    "newMember" = $member;
}

Invoke-RestMethod -Method POST -Uri $requestUrl -Body $requestBody -ContentType "application/json"

Multi-server improvements

Adaxes multi-server deployments are now easier to manage. We have improved how Adaxes handles configuration data, meaning less micromanagement and a more straightforward upgrade process.

Centralized credential management

Now, in multi-server environments, you can manage credentials stored by Adaxes (e.g. managed domain credentials) from one place.

Once the credentials are entered or changed on any Adaxes service instance, they will securely replicate to other instances, so you only need to update them once. Also, if you add new Adaxes services to your environment, they will automatically acquire all the required credentials. To read more about how the credentials are encrypted and stored, see Where does Adaxes store credentials.

Approval request failover

Approval requests can now be processed by any Adaxes service in a multi-server environment. For example, scenarios where you can't process a pending request because it was created on a service instance which is currently down are a thing of the past.

In addition, it is much easier to prune an Adaxes service instance from a multi-server deployment. In the new version, pending approval requests replicate between Adaxes services, so every service knows about every request.

Mail and SMS settings replication

Mail settings and SMS settings are now securely replicated between Adaxes services. Update them on one service, and Adaxes will propagate the changes across all other services.

Simplified license activation

In the new version, we have simplified the license activation process – now you can do it directly from the Administration console for all Adaxes services that share common configuration at once.

Moreover, new Adaxes services in a multi-server deployment will automatically pick up the license after adding them to a configuration set.

Security

Although there are plenty of security mechanisms in Adaxes, we bolstered the security even more by implementing SSL encryption for connections to AD and adding a couple of other improvements.

SSL Encryption

It is now possible to secure the connection between Adaxes and your Active Directory using SSL for all operations, not only the security-sensitive ones. When the feature is enabled, Adaxes will establish an SSL-encrypted connection to the domain controller before requesting or transferring any information about your users, groups, etc.

This feature can be enabled separately for each managed domain and will enhance the security of the connection, which can be especially helpful if communication between Adaxes service and your domain controllers is established over public networks. Furthermore, Adaxes is now able to communicate with your AD if LDAP connections without SSL are rejected, for example, port 389 is completely blocked by a firewall.

HTTP request security

In the new version, Adaxes Web interface no longer uses sensitive information like distinguished names (DNs) in URLs. Now, globally unique identifiers (GUIDs) are used instead, which means no meaningful information is exposed in transit between client and server.

Updated Web interface libraries

We have updated the third-party libraries used in the Web interface, which means all the latest third-party vulnerability fixes are now applied to Adaxes Web interface.

Microsoft 365

Application authentication

It is now possible to register your Microsoft 365 tenant in Adaxes using an application account. Application authentication uses the OAuth 2.0 protocol and allows Adaxes to manage your Microsoft 365 tenant in a secure fashion without requiring a user account.

National cloud support

From now on, you can register and manage Microsoft 365 tenants that are located in government environments, for example, GCC High or DoD.

Automation

Adaxes 2021.1 introduces five new conditions, a new action, a triggering operation, as well as improvements to existing actions and conditions.

Conditions

A new set of conditions is available for business rules triggering Before/after adding or removing a member from a group:

• If the member belongs to <Business Unit>
• If the member is a member of <group>
• If the member is/not <specific object>

Another condition – If the initiator is/not an owner of the object – lets you check exactly that. For example, it can be used to request approval if a new group member is being added by someone who is not the group owner.

You can now check where objects are being moved to using the If the destination location is <location> condition. For example, you can request approval for moving users to specific containers. This condition can also be used in business rules Before/after restoring a deleted object.

Finally, we have upgraded the If is licensed for Microsoft 365 condition. It is now possible to check whether a specific license is assigned to a user.

New triggering operation

Business rules can now trigger Before/after unlocking a user account. Handy if you need to request approval for unlocking the account.

Unlock account action

You can now unlock user accounts in business rules, custom commands, and scheduled tasks using the Unlock the user account action.

Date comparison

It is now possible to compare date equality in If <property> <relation> <value> and If account/password <expiration status> conditions. For example, you can now check whether the date stored in a custom attribute is today without using scripts.

Custom command parameter enhancement

Now, parameters can be used to select the name of the property to modify in Update the <object> actions in custom commands. For example, you can configure the action to modify the property selected using the Property name picker parameter.

Web interface improvements

With each release, we aim to bring the Web interface a step closer to perfection. This time, we have upgraded its load balancing mechanism and added several features that were frequently requested.

Action visibility

In the new version, you can explicitly configure which users can see a Web interface action. Adaxes already automatically hides actions from a user if they have insufficient permissions, but the new feature allows a greater degree of flexibility.

For example, you can make several Create user actions with totally different forms/templates, and show each to different users or security groups.

Password self-reset settings

It is now possible to configure the form that appears when a user successfully resets their password using the Forgot your password? link. You can disable the Generate, Spell out, and Password policy buttons as well as add custom HTML-formatted text to the form.

For more details on how to configure this feature, see Configure Password Self-Service.

Copying group membership

You can now configure whether users are allowed to copy group membership when copying objects. It is possible to lock the choice or hide the option to copy membership from the form entirely.

Multi-valued properties

First of all, you can now set multiple predefined values for multi-valued fields on Web interface forms.

Secondly, drop-down lists for multi-valued properties are now dynamically updated. If a property already contains a value, it won't be shown in the drop-down list when adding new values.

Better regional format selection

We have standardized how Adaxes determines the regional format which is used to display dates in the Web interface. You can find out more about it here: How are Web interface language and date format selected.

Disabling built-in languages

You can now disable built-in languages in the Web interface. For example, this can be useful if your company policy requires that all software provided to your users must be available only in a specific language.

Accessibility

Adaxes is now more accessible to people who use screen readers. Every button, menu, form field, dialog, and other Web interface control element now has ARIA attributes and can be recognized by screen reader applications.

And more

Default state for new custom commands

In the new version, you can change whether new custom commands are visible in different Web interfaces by default. For example, you can make all new commands appear only in the Administrator Web interface. This is helpful if you have many Web interfaces and are frequently creating commands only for one of them.

Approval request retention

Now, approved, denied, and canceled requests are retained only for a certain period, and the default period is 1 year (365 days). This effectively removes clutter from configuration backups and speeds up the backup/restore process.

Other changes

• From now on, when a new approver is added to a pending request, they will receive an e-mail notification. For example, this will happen when a user is added to a group whose members can approve requests.
• We have streamlined the registration process of Microsoft 365 tenants and managed domains. Now, there is no need to alter the configuration file manually to skip account permission checks.
• Now Adaxes displays a warning in the execution log if remote mailbox creation failed when creating a mailbox in Exchange Online.
• The number of custom multi-valued text attributes provided by Adaxes is extended, as CustomAttributeTextMultiValue11—CustomAttributeTextMultiValue20 are now available.
• We have removed unnecessary log entries caused by the restoration of built-in configuration objects. Now, just one neat-looking entry is created when an object is restored.
• Adaxes PowerShell script editor now imports cmdlet metadata noticeably quicker.
• Windows 7 is no longer supported by Adaxes service.

Bug fixes

• Fixed the Object 'Deleted Objects (domain.com)' does not exist error that appeared when restoring deleted objects. Now Adaxes uses the last known parent of a deleted object to determine whether the user has the rights to view and restore it.
• Fixed the issue where it was impossible to approve requests from email notifications if the Common Sign In Web interface URL was registered for Adaxes service.
• Fixed the issue where the operation result dialog of a custom command was not displayed if the command didn't require a confirmation to execute.
• Fixed the issue where resetting a password via a custom command made it impossible to get the new password value in scripts executed in business rules Before resetting password of a user.
• Fixed the issue where the reports were not exported if the report name or the name of all objects in the report contained special characters.
• Fixed the issue which caused the Set-AdmUser cmdlet to unprotect the user from accidental deletion on some occasions.
• Fixed the issue where the user accounts didn't lock out if the Reset failed attempt counter after and Unlock account automatically after options were disabled in password policy settings in Adaxes Administration console.
• Fixed the Keyset does not exist error which prevented Outlook 2019 from launching after self-resetting the password offline using the Self-Service Client.
• Fixed the System.FormatException: The account name is invalid error that occurred when attempting to perform a SAML-based (Azure AD) sign out.

Update 1

---

Enhancements

• The Self-Service Client can now communicate with Active Directory, both over the default 389 port and SSL port 636.
• The Deny Delete Subtree permission is no longer required to deny deleting objects – just Deny Delete Object is sufficient.
• Now, when the Activate or modify Microsoft 365 account action is used to deactivate Microsoft 365 accounts, users with no Microsoft 365 accounts are completely ignored.
• Adaxes now processes long scripts much faster when they are pasted into the script editor in the Administration console.
• Improved how Adaxes matches on-premises contacts with contacts in Azure AD when a Microsoft 365 tenant is registered.

Bug fixes

• Fixed the Object reference not set to an instance of an object error that sometimes occurred during the interaction between Adaxes and Microsoft 365.
• Fixed the issue which made it impossible to restore configuration backups made in Adaxes 2017.2 or earlier.
• Updated the fix for the An Azure Active Directory call was made to keep object in sync error which sometimes occurred during the modification of Exchange Online mailboxes if Microsoft has rolled out the dual-write feature to your tenant.
• Fixed the issue where Adaxes services that share common configuration were unable to start if the Adaxes service which owns the schema master FSMO role was down.
• Fixed the issue where users were not forced to re-enroll for password self-service when a new policy with a different authentication method became effective for them.
• Fixed the issue where an email notification about the failure of an approved operation was not sent if the operation was initiated by a business rule triggered after an operation that also failed.
• Fixed the String was not recognized as a valid DateTime error which occurred in Web interface configurator after restoring Adaxes configuration if any Web interface action had a predefined value of 0 for a timestamp property e.g. Account Expires.
• Fixed the issue in multi-server environments, where the information about a new managed domain was updated only for one service connection point – the one that belongs to the Adaxes service which was used to register the domain.

Update 2

---

• Fixed the issue where Adaxes was unable to set the password for a new user, which only occurred if there are at least two DCs in a managed domain, and it is not possible to reach the one where the user is being created via LDAPS port 636.
• Fixed the Parameter must be a non empty string. Parameter name: id error which occurred when copying a user in Web interface if the user's ms-Exch-Security-Protocol is not empty.

Update 3

---

For Adaxes 2021 Update 3, we have addressed several well-known issues and decided to do some spring cleaning by fixing recently discovered bugs and introducing a few quality-of-life features.

Improvements

• We have improved how Adaxes updates the following properties of Exchange mailboxes in hybrid environments: Proxy Addresses, Message Size Restrictions, Message Delivery Restrictions, Mail Tip. We have made an adjustment for the fact that, in some tenants, Microsoft 365 allows updating these properties online, whereas they should be updated solely on-premises, and then synchronized. Now, Adaxes correctly identifies such scenarios and updates these properties on-premises.
• Now, Adaxes automatically updates the Send As permissions of synchronized distribution groups in the cloud when they are updated on-premises. Moreover, if you change the permissions of a newly created group, Adaxes will remember to update its cloud counterpart when it comes into existence after the initial sync.
• All operation descriptions in log records are now generated in the same language based on the locale of the computer where Adaxes service is installed.
• From now on, predefined fields of Web interface forms always have priority over default values generated by property patterns, even if the field is not visible on the form.
• Adaxes no longer displays a warning when enabling the Customer Lockbox (LOCKBOX_ENTERPRISE) or Microsoft Bookings (MICROSFTBOOKINGS) services without the Exchange Online service.
• Now it is possible to use the Send SMS verification code feature of the Reset password operation in the Web interface even if the Send SMS operation is disabled.
• Now, to view the business unit members, users don't need the permissions to view the business unit object i.e. Allow Read Business Unit. For example, it is now possible to let users view business unit members on the Web interface home page without granting them the permissions to see the business unit itself.
• All scheduled reports are now generated using the regional settings of the user for whom they are scheduled.
• Now, when you make invalid changes in Web interface configurator and attempt to save the changes, Adaxes will scroll to the invalid element and highlight it.
• As the Unified Messaging feature has been deprecated in Exchange Online, the ability to configure Unified Messaging for cloud mailboxes has been removed from Adaxes.

Bug fixes

Web interface

• Fixed the issue where group members from another domain weren't copied when the group was copied with the Copy group members checkbox enabled.
• Fixed the Request parameters are invalid or missing error that occurred when saving changes in the Web interface configurator if any action had a predefined field for a property that doesn't exist in the schema of any of the managed domains.
• Fixed the Request parameters are invalid or missing error that occurred when making changes to Web interface actions after restoring Adaxes configuration from a backup that had predefined fields for the Password property in any of the actions.
• Fixed the The operation is not allowed in the Web Interface. error that occurred when creating Exchange mailboxes from the Web interface if the Move Mailbox operation was disabled.
• Fixed the issue where the value for the unicodePwd property was displayed as [object Object] when specified as a predefined field in the configuration of any Web interface action.
• Fixed the issue where it was possible to select the time in a Date/Time picker parameter of a custom command even if time selection was not allowed. The issue occurred only if the command was executed on several users in bulk.
• Fixed the Cannot process the request because the request signature is invalid or missing error that occurred when using Safari to view the Member Of section of user accounts that have characters with an umlaut in the name.
• Fixed the bug which caused some issues with selecting objects in the Web interface list view after the Web interface has been idle for several minutes.
• Fixed the issue where objects in the report in the Web interface would disappear from the view after canceling the report export operation.

Exchange and Microsoft 365

• Fixed the bug which caused Adaxes to enable a remote mailbox for a user when manually assigning a Microsoft 365 license from the Web interface, even if the services related to Exchange Online were disabled.
• Fixed the issue where the remote mailbox of a user would become disabled if the user had two different licenses with the Exchange Online service, and just one of them was revoked.
• Adaxes will no longer automatically create a remote mailbox when the MIP_S_Exchange (Data Classification in Microsoft 365) service is enabled for a user.
• Fixed the issue where the mailbox AutoMapping state was displayed incorrectly for trustees from a different domain.

Reports

• Fixed the issue where the Everywhere report scope was available for selection in addition to predefined locations, even though the location selection was explicitly disabled in the report settings.
• Fixed the issue where it was impossible to generate a report in the Web interface if the location selection was restricted to a specific OU, and, at the same time, the location selection was disallowed.
• Fixed the The scope is no longer available in the report warning that appeared when adding a report to the Web interface home page. The issue occurred if the report didn't allow selecting a location and had no predefined scopes.

Other

• Fixed the issue where the OR operator was being changed to the AND operator after copying and pasting an action set in the Administration console.
• Fixed the Cannot process argument transformation on parameter 'QueryStartDate' error that sometimes occurred when using the Cancel meetings organized by the user action if the locale of the Adaxes service was not English (United States).
• Fixed the Value cannot be null. Parameter name: filter error that occurred when using value references in Objects located in OU or container membership rules of business units.
• Fixed the Property doesn't meet the following constraint error that occurred if the property pattern for the Can be joined to domain by property was configured to have only the default value in the list of allowed values.
• Fixed the bug that caused locked user accounts to become unlocked when updating the User cannot change password or Password never expires account options.
• Fixed the issue where log entries for the manual execution of a scheduled task were generated using the locale of the currently logged on user instead of the system locale.

Update 4

---

• Fixed the The LDAP server is unavailable error that repeatedly occurred when resetting user passwords if the managed domain had SSL enabled for all operations.
• Fixed the issue with saving the following options in the Members section for rule-based groups: Allow triggering membership update manually and Display the time when membership was updated.
• Fixed the Select at least one language error that prevented saving changes in the Web interface configurator if all built-in languages were disabled and a new language was added immediately afterwards.
• Fixed the The syntax is not supported by this runspace error that could occur when enabling a user for Skype for Business if the KB5001779 Windows update was installed on the computer where the Skype for Business (Lync) Server is hosted.

Update 5

---

In this update, we have mainly focused on improving the security of Adaxes and fixing recently discovered vulnerabilities.

• Fixed the vulnerability that made it possible to force the computer where the Adaxes service is installed to send an SMB request to an arbitrary IP address, obtaining the password hash of the said computer (server-side request forgery). The attack required the malicious actor to possess valid credentials of a user account that can sign in to the Adaxes Web interface or send requests to the REST API.
• Fixed the vulnerability that made it possible to execute arbitrary JavaScript code on the client-side of Adaxes Web interface if a Web interface page was visited using a specifically crafted link (cross-site scripting). The vulnerability allowed the malicious actor to obtain the information from the visited page. The attack required a legitimately signed-in user to actually visit the malicious link.
• Now, Adaxes sanitizes all HTML code encountered in directory object names. This fixed the issue where the Web interface would process HTML code in object names and apply formatting when displaying information about those objects.
• Now, Adaxes correctly creates a remote mailbox for a user when a Microsoft 365 license with the Exchange Online service is assigned, but the Exchange Online Archiving for Exchange Online service is disabled.