We are constantly working to improve Adaxes, and here is an overview of what we have added in version 2019.2. This time we mainly focused on security-relevant aspects and have introduced another authentication factor for self-service password reset, two-factor authentication for Web Interface, auditing of sign-in activities and new notification capabilities for approval-based workflows.
Here’s more about what’s new in Adaxes 2019.2.
We've added the option to use a mobile authenticator app as a verification method for self-service password reset. With this option enabled, users will be required to open the app on their mobile phone (or any other device) and enter the code displayed in the app to verify their identity.
Unlike SMS messages, authenticator apps run locally on the user's device which means that verification codes can't be intercepted on the phone network, code generation is instant and does not require an Internet connection or mobile service.
Adaxes supports the following authenticator apps:
When the new authentication method is enabled, users will be prompted to enroll for password self-service and setup the authenticator app. The process is simple and will only require the user to install the app on their device and then activate it by scanning a QR code.
If a user loses their mobile device or gets a new one, they will need to re-activate the authenticator app on the new device. This can be done one of three ways: transfer the activation to the new device by means of the app itself (provided it supports that), reset the app activation using the Reset multifactor authentication operation in Adaxes, or use the Change device option in the Web Interface for self-service. For more details, see Reset authenticator app.
The Change Device option
We have also improved the user experience during enrollment for password self-service. We have made it a step-by-step process with clear and simple instructions that are easy to follow. To make sure mobile phone numbers are entered correctly, we have added an SMS verification step to it.
And now you have the option to remove the Disenroll link from the Password Self-Service card.
We've added the ability to use time-based one-time password verification (via Google Authenticator and other similar apps) as an authentication factor for the Username/Password authentication type in the Web Interface. If enabled, the user will need to install the app on their device and activate it upon the first login. During subsequent logins, after entering their credentials, the user will be asked to enter a code generated by the authenticator app to sign in to the Web Interface.
Starting from the new version, Adaxes will log all user logins to the Web Interface and Web Interface Configurator. It will allow you to track who logs in, who fails to log in, from which host, to which Web Interface, when, etc.
Now Adaxes will send an email notification to the user who initiated an operation that was submitted for approval, approved but executed with errors.
The subject, header and footer of the email notification can be customized according to your needs.
It is now possible to send email messages to mailboxes that are currently being created in Exchange Online. For example, you can now send a welcome email to a user right after assigning an Exchange Online license. Adaxes will wait until a mailbox is created in the cloud and only after that it will send the email message to the mailbox.
We've added two new reports for the features introduced in this release:
This update brings several important security and performance improvements as well as fixes to known issues.
From now on Adaxes doesn’t use basic authentication to access Exchange Online. Now passwords aren’t transmitted over the network with every request, which means the new authentication mechanism is more secure and reliable. Basic authentication will no longer be supported by Microsoft from October 2020, and we are ahead of the game – all Adaxes features for Exchange Online will work without issues.
This update fixes the error that occurs when attempting to modify properties of Exchange Online mailboxes in a hybrid environment. It occurs only if Microsoft has rolled out the dual-write change to your Microsoft 365 tenant.
An Azure Active Directory call was made to keep object in sync between Azure Active Directory and Exchange Online. However, it failed.
Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration. The issue may be transient and please retry a couple of minutes later. If issue persists, please see exception members for more information.
Fixed the vulnerability that resulted from special characters not being escaped when value references are resolved. For example, the vulnerability made it possible to inject PowerShell scripts in custom command parameter input fields if value references were used to get the parameter values.
This update extends the previous security update and addresses the same vulnerability. The previous fix can be bypassed, which was discovered recently. As a result, we've reinforced the fix by escaping all possible double quote characters ("„“”) when value references are resolved.
In this update, we have mainly focused on improving the security of Adaxes and fixing recently discovered vulnerabilities.