For this release, we decided to elevate Adaxes on all fronts – we have added a password self-service client for macOS, REST API, application authentication in Microsoft 365, a number of security and automation improvements, you name it. All this and a myriad of other features await you in the new version.
To help you discover everything, here's more about what's new in Adaxes 2021.1.
The beloved feature that allows self-resetting passwords from the login screen is now also available for macOS users.
It works in a similar fashion to the self-service password reset for Windows users – you install a client application on domain-joined Macs, and the users become empowered with the ability to reset their account passwords directly from the login screen!
The offline and offsite password self-reset functionality is currently unavailable to Mac users.
For more information about the self-service client and details on how to deploy it, see the Self-Service Client installation guide.
We have added a REST API that enables you to communicate with Adaxes over HTTP.
Adaxes REST API documentationThe API simplifies integration between Adaxes and third-party software, for example, HR systems that can send HTTP requests. You can also create your custom applications that will perform operations in Active Directory, Exchange, and Microsoft 365 via Adaxes, and benefit from features like business rules, or property patterns.
For example, you can send an HTTP request to add a group member through Adaxes, and it will trigger all Before/after adding a member to a group business rules:
$member = "CN=John Smith,CN=Users,DC=example,DC=com" $group = "CN=My Group,OU=Groups,DC=example,DC=com" $requestUrl = "https://host.example.com/api/directoryObjects/groupMembers" $requestBody = ConvertTo-Json @{ "group" = $group; "newMember" = $member; } Invoke-RestMethod -Method POST -Uri $requestUrl -Body $requestBody -ContentType "application/json"
Adaxes multi-server deployments are now easier to manage. We have improved how Adaxes handles configuration data, meaning less micromanagement and a more straightforward upgrade process.
Now, in multi-server environments, you can manage credentials stored by Adaxes (e.g. managed domain credentials) from one place.
Once the credentials are entered or changed on any Adaxes service instance, they will securely replicate to other instances, so you only need to update them once. Also, if you add new Adaxes services to your environment, they will automatically acquire all the required credentials. To read more about how the credentials are encrypted and stored, see Where does Adaxes store credentials.
Approval requests can now be processed by any Adaxes service in a multi-server environment. For example, scenarios where you can't process a pending request because it was created on a service instance which is currently down are a thing of the past.
In addition, it is much easier to prune an Adaxes service instance from a multi-server deployment. In the new version, pending approval requests replicate between Adaxes services, so every service knows about every request.
Mail settings and SMS settings are now securely replicated between Adaxes services. Update them on one service, and Adaxes will propagate the changes across all other services.
In the new version, we have simplified the license activation process – now you can do it directly from the Administration console for all Adaxes services that share common configuration at once.
Moreover, new Adaxes services in a multi-server deployment will automatically pick up the license after adding them to a configuration set.
Although there are plenty of security mechanisms in Adaxes, we bolstered the security even more by implementing SSL encryption for connections to AD and adding a couple of other improvements.
It is now possible to secure the connection between Adaxes and your Active Directory using SSL for all operations, not only the security-sensitive ones. When the feature is enabled, Adaxes will establish an SSL-encrypted connection to the domain controller before requesting or transferring any information about your users, groups, etc.
This feature can be enabled separately for each managed domain and will enhance the security of the connection, which can be especially helpful if communication between Adaxes service and your domain controllers is established over public networks. Furthermore, Adaxes is now able to communicate with your AD if LDAP connections without SSL are rejected, for example, port 389 is completely blocked by a firewall.
In the new version, Adaxes Web interface no longer uses sensitive information like distinguished names (DNs) in URLs. Now, globally unique identifiers (GUIDs) are used instead, which means no meaningful information is exposed in transit between client and server.
We have updated the third-party libraries used in the Web interface, which means all the latest third-party vulnerability fixes are now applied to Adaxes Web interface.
It is now possible to register your Microsoft 365 tenant in Adaxes using an application account. Application authentication uses the OAuth 2.0 protocol and allows Adaxes to manage your Microsoft 365 tenant in a secure fashion without requiring a user account.
If you change the authentication method of your tenant to application authentication, you will need to update your PowerShell scripts where the GetOffice365Credential method is used. It has been deprecated, and GetAzureAuthAccessToken should be used instead.
From now on, you can register and manage Microsoft 365 tenants that are located in government environments, for example, GCC High or DoD.
Adaxes 2021.1 introduces five new conditions, a new action, a triggering operation, as well as improvements to existing actions and conditions.
A new set of conditions is available for business rules triggering Before/after adding or removing a member from a group:
Another condition – If the initiator is/not an owner of the object – lets you check exactly that. For example, it can be used to request approval if a new group member is being added by someone who is not the group owner.
You can now check where objects are being moved to using the If the destination location is <location> condition. For example, you can request approval for moving users to specific containers. This condition can also be used in business rules Before/after restoring a deleted object.
Finally, we have upgraded the If is licensed for Microsoft 365 condition. It is now possible to check whether a specific license is assigned to a user.
Business rules can now trigger Before/after unlocking a user account. Handy if you need to request approval for unlocking the account.
You can now unlock user accounts in business rules, custom commands, and scheduled tasks using the Unlock the user account action.
It is now possible to compare date equality in If <property> <relation> <value> and If account/password <expiration status> conditions. For example, you can now check whether the date stored in a custom attribute is today without using scripts.
Now, parameters can be used to select the name of the property to modify in Update the <object> actions in custom commands. For example, you can configure the action to modify the property selected using the Property name picker parameter.
With each release, we aim to bring the Web interface a step closer to perfection. This time, we have upgraded its load balancing mechanism and added several features that were frequently requested.
In the new version, you can explicitly configure which users can see a Web interface action. Adaxes already automatically hides actions from a user if they have insufficient permissions, but the new feature allows a greater degree of flexibility.
For example, you can make several Create user actions with totally different forms/templates, and show each to different users or security groups.
It is now possible to configure the form that appears when a user successfully resets their password using the Forgot your password? link. You can disable the Generate, Spell out, and Password policy buttons as well as add custom HTML-formatted text to the form.
For more details on how to configure this feature, see Configure Password Self-Service.
You can now configure whether users are allowed to copy group membership when copying objects. It is possible to lock the choice or hide the option to copy membership from the form entirely.
First of all, you can now set multiple predefined values for multi-valued fields on Web interface forms.
Secondly, drop-down lists for multi-valued properties are now dynamically updated. If a property already contains a value, it won't be shown in the drop-down list when adding new values.
We have standardized how Adaxes determines the regional format which is used to display dates in the Web interface. You can find out more about it here: How are Web interface language and date format selected.
You can now disable built-in languages in the Web interface. For example, this can be useful if your company policy requires that all software provided to your users must be available only in a specific language.
Adaxes is now more accessible to people who use screen readers. Every button, menu, form field, dialog, and other Web interface control element now has ARIA attributes and can be recognized by screen reader applications.
In the new version, you can change whether new custom commands are visible in different Web interfaces by default. For example, you can make all new commands appear only in the Administrator Web interface. This is helpful if you have many Web interfaces and are frequently creating commands only for one of them.
Now, approved, denied, and canceled requests are retained only for a certain period, and the default period is 1 year (365 days). This effectively removes clutter from configuration backups and speeds up the backup/restore process.
After you upgrade to the new version, all processed approval requests older than 365 days will be deleted at 1:00 AM (in the time zone of the computer where the Adaxes service is installed). If you need to keep old processed approval requests, you can extend the retention period or disable the feature.