What's New in Adaxes 2021.1

---

For this release, we decided to elevate Adaxes on all fronts – we have added a password self-service client for macOS, REST API, application authentication in Microsoft 365, a number of security and automation improvements, you name it. All this and a myriad of other features await you in the new version.

To help you discover everything, here's more about what's new in Adaxes 2021.1.

Password self-service for Mac

The beloved feature that allows self-resetting passwords from the login screen is now also available for macOS users.

It works in a similar fashion to the self-service password reset for Windows users – you install a client application on domain-joined Macs, and the users become empowered with the ability to reset their account passwords directly from the login screen!

For more information about the self-service client and details on how to deploy it, see the Self-Service Client installation guide.

REST API

We have added a REST API that enables you to communicate with Adaxes over HTTP.

Adaxes REST API documentation

The API simplifies integration between Adaxes and third-party software, for example, HR systems that can send HTTP requests. You can also create your custom applications that will perform operations in Active Directory, Exchange, and Microsoft 365 via Adaxes, and benefit from features like business rules, or property patterns.

For example, you can send an HTTP request to add a group member through Adaxes, and it will trigger all Before/after adding a member to a group business rules:

$member = "CN=John Smith,CN=Users,DC=example,DC=com"
$group = "CN=My Group,OU=Groups,DC=example,DC=com"
$requestUrl = "https://host.example.com/api/directoryObjects/groupMembers"
$requestBody = ConvertTo-Json @{
    "group" = $group;
    "newMember" = $member;
}

Invoke-RestMethod -Method POST -Uri $requestUrl -Body $requestBody -ContentType "application/json"

Multi-server improvements

Adaxes multi-server deployments are now easier to manage. We have improved how Adaxes handles configuration data, meaning less micromanagement and a more straightforward upgrade process.

Centralized credential management

Now, in multi-server environments, you can manage credentials stored by Adaxes (e.g. managed domain credentials) from one place.

Once the credentials are entered or changed on any Adaxes service instance, they will securely replicate to other instances, so you only need to update them once. Also, if you add new Adaxes services to your environment, they will automatically acquire all the required credentials. To read more about how the credentials are encrypted and stored, see Where does Adaxes store credentials.

Approval request failover

Approval requests can now be processed by any Adaxes service in a multi-server environment. For example, scenarios where you can't process a pending request because it was created on a service instance which is currently down are a thing of the past.

In addition, it is much easier to prune an Adaxes service instance from a multi-server deployment. In the new version, pending approval requests replicate between Adaxes services, so every service knows about every request.

Mail and SMS settings replication

Mail settings and SMS settings are now securely replicated between Adaxes services. Update them on one service, and Adaxes will propagate the changes across all other services.

Simplified license activation

In the new version, we have simplified the license activation process – now you can do it directly from the Administration console for all Adaxes services that share common configuration at once.

Moreover, new Adaxes services in a multi-server deployment will automatically pick up the license after adding them to a configuration set.

Security

Although there are plenty of security mechanisms in Adaxes, we bolstered the security even more by implementing SSL encryption for connections to AD and adding a couple of other improvements.

SSL Encryption

It is now possible to secure the connection between Adaxes and your Active Directory using SSL for all operations, not only the security-sensitive ones. When the feature is enabled, Adaxes will establish an SSL-encrypted connection to the domain controller before requesting or transferring any information about your users, groups, etc.

This feature can be enabled separately for each managed domain and will enhance the security of the connection, which can be especially helpful if communication between Adaxes service and your domain controllers is established over public networks. Furthermore, Adaxes is now able to communicate with your AD if LDAP connections without SSL are rejected, for example, port 389 is completely blocked by a firewall.

HTTP request security

In the new version, Adaxes Web interface no longer uses sensitive information like distinguished names (DNs) in URLs. Now, globally unique identifiers (GUIDs) are used instead, which means no meaningful information is exposed in transit between client and server.

Updated Web interface libraries

We have updated the third-party libraries used in the Web interface, which means all the latest third-party vulnerability fixes are now applied to Adaxes Web interface.

Microsoft 365

Application authentication

It is now possible to register your Microsoft 365 tenant in Adaxes using an application account. Application authentication uses the OAuth 2.0 protocol and allows Adaxes to manage your Microsoft 365 tenant in a secure fashion without requiring a user account.

National cloud support

From now on, you can register and manage Microsoft 365 tenants that are located in government environments, for example, GCC High or DoD.

Automation

Adaxes 2021.1 introduces five new conditions, a new action, a triggering operation, as well as improvements to existing actions and conditions.

Conditions

A new set of conditions is available for business rules triggering Before/after adding or removing a member from a group:

• If the member belongs to <Business Unit>
• If the member is a member of <group>
• If the member is/not <specific object>

Another condition – If the initiator is/not an owner of the object – lets you check exactly that. For example, it can be used to request approval if a new group member is being added by someone who is not the group owner.

You can now check where objects are being moved to using the If the destination location is <location> condition. For example, you can request approval for moving users to specific containers. This condition can also be used in business rules Before/after restoring a deleted object.

Finally, we have upgraded the If is licensed for Microsoft 365 condition. It is now possible to check whether a specific license is assigned to a user.

New triggering operation

Business rules can now trigger Before/after unlocking a user account. Handy if you need to request approval for unlocking the account.

Unlock account action

You can now unlock user accounts in business rules, custom commands, and scheduled tasks using the Unlock the user account action.

Date comparison

It is now possible to compare date equality in If <property> <relation> <value> and If account/password <expiration status> conditions. For example, you can now check whether the date stored in a custom attribute is today without using scripts.

Custom command parameter enhancement

Now, parameters can be used to select the name of the property to modify in Update the <object> actions in custom commands. For example, you can configure the action to modify the property selected using the Property name picker parameter.

Web interface improvements

With each release, we aim to bring the Web interface a step closer to perfection. This time, we have upgraded its load balancing mechanism and added several features that were frequently requested.

Action visibility

In the new version, you can explicitly configure which users can see a Web interface action. Adaxes already automatically hides actions from a user if they have insufficient permissions, but the new feature allows a greater degree of flexibility.

For example, you can make several Create user actions with totally different forms/templates, and show each to different users or security groups.

Password self-reset settings

It is now possible to configure the form that appears when a user successfully resets their password using the Forgot your password? link. You can disable the Generate, Spell out, and Password policy buttons as well as add custom HTML-formatted text to the form.

For more details on how to configure this feature, see Configure Password Self-Service.

Copying group membership

You can now configure whether users are allowed to copy group membership when copying objects. It is possible to lock the choice or hide the option to copy membership from the form entirely.

Multi-valued properties

First of all, you can now set multiple predefined values for multi-valued fields on Web interface forms.

Secondly, drop-down lists for multi-valued properties are now dynamically updated. If a property already contains a value, it won't be shown in the drop-down list when adding new values.

Better regional format selection

We have standardized how Adaxes determines the regional format which is used to display dates in the Web interface. You can find out more about it here: How are Web interface language and date format selected.

Disabling built-in languages

You can now disable built-in languages in the Web interface. For example, this can be useful if your company policy requires that all software provided to your users must be available only in a specific language.

Accessibility

Adaxes is now more accessible to people who use screen readers. Every button, menu, form field, dialog, and other Web interface control element now has ARIA attributes and can be recognized by screen reader applications.

And more

Default state for new custom commands

In the new version, you can change whether new custom commands are visible in different Web interfaces by default. For example, you can make all new commands appear only in the Administrator Web interface. This is helpful if you have many Web interfaces and are frequently creating commands only for one of them.

Approval request retention

Now, approved, denied, and canceled requests are retained only for a certain period, and the default period is 1 year (365 days). This effectively removes clutter from configuration backups and speeds up the backup/restore process.

Other changes

• From now on, when a new approver is added to a pending request, they will receive an e-mail notification. For example, this will happen when a user is added to a group whose members can approve requests.
• We have streamlined the registration process of Microsoft 365 tenants and managed domains. Now, there is no need to alter the configuration file manually to skip account permission checks.
• Now Adaxes displays a warning in the execution log if remote mailbox creation failed when creating a mailbox in Exchange Online.
• The number of custom multi-valued text attributes provided by Adaxes is extended, as CustomAttributeTextMultiValue11—CustomAttributeTextMultiValue20 are now available.
• We have removed unnecessary log entries caused by the restoration of built-in configuration objects. Now, just one neat-looking entry is created when an object is restored.
• Adaxes PowerShell script editor now imports cmdlet metadata noticeably quicker.
• Windows 7 is no longer supported by Adaxes service.

Bug fixes

• Fixed the Object 'Deleted Objects (domain.com)' does not exist error that appeared when restoring deleted objects. Now Adaxes uses the last known parent of a deleted object to determine whether the user has the rights to view and restore it.
• Fixed the issue where it was impossible to approve requests from email notifications if the Common Sign In Web interface URL was registered for Adaxes service.
• Fixed the issue where the operation result dialog of a custom command was not displayed if the command didn't require a confirmation to execute.
• Fixed the issue where resetting a password via a custom command made it impossible to get the new password value in scripts executed in business rules Before resetting password of a user.
• Fixed the issue where the reports were not exported if the report name or the name of all objects in the report contained special characters.
• Fixed the issue which caused the Set-AdmUser cmdlet to unprotect the user from accidental deletion on some occasions.
• Fixed the issue where the user accounts didn't lock out if the Reset failed attempt counter after and Unlock account automatically after options were disabled in password policy settings in Adaxes Administration console.
• Fixed the Keyset does not exist error which prevented Outlook 2019 from launching after self-resetting the password offline using the Self-Service Client.
• Fixed the System.FormatException: The account name is invalid error that occurred when attempting to perform a SAML-based (Azure AD) sign out.

Update 1

---

Enhancements

• The Self-Service Client can now communicate with Active Directory, both over the default 389 port and SSL port 636.
• The Deny Delete Subtree permission is no longer required to deny deleting objects – just Deny Delete Object is sufficient.
• Now, when the Activate or modify Microsoft 365 account action is used to deactivate Microsoft 365 accounts, users with no Microsoft 365 accounts are completely ignored.
• Adaxes now processes long scripts much faster when they are pasted into the script editor in the Administration console.
• Improved how Adaxes matches on-premises contacts with contacts in Azure AD when a Microsoft 365 tenant is registered.

Bug fixes

• Fixed the Object reference not set to an instance of an object error that sometimes occurred during the interaction between Adaxes and Microsoft 365.
• Fixed the issue which made it impossible to restore configuration backups made in Adaxes 2017.2 or earlier.
• Updated the fix for the An Azure Active Directory call was made to keep object in sync error which sometimes occurred during the modification of Exchange Online mailboxes if Microsoft has rolled out the dual-write feature to your tenant.
• Fixed the issue where Adaxes services that share common configuration were unable to start if the Adaxes service which owns the schema master FSMO role was down.
• Fixed the issue where users were not forced to re-enroll for password self-service when a new policy with a different authentication method became effective for them.
• Fixed the issue where an email notification about the failure of an approved operation was not sent if the operation was initiated by a business rule triggered after an operation that also failed.
• Fixed the String was not recognized as a valid DateTime error which occurred in Web interface configurator after restoring Adaxes configuration if any Web interface action had a predefined value of 0 for a timestamp property e.g. Account Expires.
• Fixed the issue in multi-server environments, where the information about a new managed domain was updated only for one service connection point – the one that belongs to the Adaxes service which was used to register the domain.

Update 2

---

• Fixed the issue where Adaxes was unable to set the password for a new user, which only occurred if there are at least two DCs in a managed domain, and it is not possible to reach the one where the user is being created via LDAPS port 636.
• Fixed the Parameter must be a non empty string. Parameter name: id error which occurred when copying a user in Web interface if the user's ms-Exch-Security-Protocol is not empty.