You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Release Notes Version 7.202.0.0

Owned by Phillip Hanegan
Feb 07, 2023
15 min read

New Features

New Wizard Workflows

With this release, EmpowerID introduces several new Wizard-based workflows for managing Azure applications and onboarding common objects like EmpowerID Persons, groups, and Management Roles. These new workflows reduce the amount of data users see upfront, making the process more intuitive and user-friendly.

Azure Wizard Workflows

Create Azure Application – Wizard workflow for onboarding Azure applications in selected Azure tenants. This workflow has a number of parameters that you can configure to alter the fields that appear when running the workflow, as well as settings that determine whether human approval is required before EmpowerID fulfills the request and provisions the application in Azure.

Parameter

Description

Parameter

Description

App_Auth_AssignmentRequired_IsVisible

Boolean value to determine whether the Assignment Required? checkbox is visible.

AppAuth_EnableUserSignIn_IsVisible

Boolean value to determine whether the Enabled for users to sign-in? checkbox is visible.

AppAuth_SupportedAccountType_IsVisible

 

AppExt_CAP_IsVisibdrop-down

Boolean value to determine whether the Conditional Access Policy drop-down is visible.

AppExt_ExtensionTab_IsVisible

Boolean to determine whether the Application Extension tab of the workflow is visible to users.

AppExt_ExtensionAttribute1_IsVisible

Boolean to determine whether the Application Extension Attribute 1 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.

AppExt_ExtensionAttribute2_IsVisible

Boolean to determine whether the Application Extension Attribute 2 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.

AppExt_ExtensionAttribute3_IsVisible

Boolean to determine whether the Application Extension Attribute 3 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.

AppExt_ExtensionAttribute4_IsVisible

Boolean to determine whether the Application Extension Attribute 4 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.

AppExt_ExtensionAttribute7_IsVisible

Boolean to determine whether the Application Extension Attribute 7 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.

ApplicationLineListDataItemSetName

This specifies the AzureAppApplicationLine list data set of the various application lines that appear to users when selecting the environment for the application.

Default list items include those shown below:

 

ApplicationType_Location_IsVisible

Boolean value that specifies whether the Select a location section of the workflow wizard form is visible to users. Set to true by default.

ApplicationType_Location_SelectaLocation_IsVisible

If ApplicationType_Location_IsVisible is true, this Boolean value determines if the Select a Location tree is visible. Set to true by default.

ApplicationType_Location_Tenant_IsVisible

If ApplicationType_Location_IsVisible is true, this Boolean value determines if the Select a tenant drop-down is visible. Set to true by default.

DefaultAzureRBACManagerAppName

Specifies the default Azure RBAC Manager application used by EmpowerID to manage Azure RBAC resources. Set to EIDAzureRBACManager by default.

DefaultAssignmentRequired

Boolean value on the Azure service principal that determines if users and apps or services must first be assigned the application before accessing it. Set to true by default.

DefaultAzureTenantID

This is the GUID of the Azure tenant. If the value is present, the Select a Tenant drop-down will be auto filled with the specified tenant.

You can find the Tenant ID for your Azure tenant by navigating to
Azure RBAC Manager > Resources and selecting the Tenants tab.

DefaultEmailMessageID

 

DefaultEnabledUsersSignIn

Boolean value on the Azure Service Principal that determines if assigned users will be able to sign in to this application, either from My Apps, the User access URL, or by navigating to the application URL directly.

DefaultOrgZoneID

Optional setting that specifies the Org Zone ID of the EmpowerID location that should be populated in the Select a Location tree drop-down.

DefaultSupportedAccountType

Default value that specifies the Microsoft accounts that are supported for the application.

ExtensionAttribute1ListDataItemSetName

Boolean to determine whether the Application Extension Attribute 1 radio button option is visible.

ExtensionAttribute2ListDataItemSetName

This points to the AzureAppExtensionAttribute2Choice list data set for displaying custom radio button options. The selected value is stored in the ExtensionAttribute2 attribute of the Protected Application in EmpowerID.

ExtensionAttribute3ListDataItemSetName

This points to the AzureAppExtensionAttribute3Choice list data set for displaying custom radio button options. The selected value is stored in the ExtensionAttribute3 attribute of the Protected Application in EmpowerID.

ExtensionAttribute4ListDataItemSetName

This points to the AzureAppExtensionAttribute4Choice list data set for displaying custom radio button options. The selected value is stored in the ExtensionAttribute4 attribute of the Protected Application in EmpowerID.

IntegrationTypeListDataItemSetName

This points to the AzureAppTypeOfIntegration list data set of the various Application Integration Types. By default, the list contains OIDC, SAML Gallery & SAML Non-Gallery options.

ListDataItemSetTypeName

Internal field for displaying list data items. Do not change the value.

NonGalleryTemplateID

Specifies the default template for creating non-gallery applications. Do not change the value.

ManagementRoleIDsToNotify

Specifies the ID of the Management Role whose members are to be notified each time an Azure application is created.

SupportedAccTypesOIDCListName

This points to the AzureAppSupportedAccountTypes list data set for displaying supported account type radio button options.

Default list items include those shown below:

SupportedAccountTypesTemplateListName

 

Create Azure Application Certificates – Wizard workflow for creating certificates for Azure applications managed by EmpowerID. The workflow has a number of parameters that can be configured to alter the fields that appear to users running the workflow. See Create Certificates for Azure Applications.

Parameter

Purpose

Parameter

Purpose

DefaultAzureTenantID

This is the GUID of the Azure tenant. If the value is present, the “Select a Tenant” drop down will be auto-selected with the specified tenant.

You can find the Tenant ID for your Azure tenant by navigating to
Azure RBAC Manager > Resources and selecting the Tenants tab.

DefaultOrgZoneID

This is the ID of the EmpowerID location where the app certificate will be created . If a value is present, the “Select a Location” drop down will be auto-selected with the location. The location can be changed as desired on the form.

DefaultShareCredential

Boolean value that specifies whether to enable sharing for all app certificates by default.

ShareCredential_IsVisible

Boolean value that specifies whether to show or hide the Share credential checkbox on the form

DefaultVaultCredential

Boolean value that specifies whether to vault all secrets by default

VaultCredential_IsVisible

Boolean value that specifies whether to show or hide the Vault credential checkbox on the form

DefaultOwnerPersonID

This is the Person ID of the certificate owner. If the value is present, the specified person will be the owner for all app certificates.

SelectOwner_IsVisible

Boolean value that specifies whether to show or hide the Owner selection drop-down on the form

DefaultExternalCredentialPolicyID

This is the External Credential Policy ID to be assigned to all app certificates created.

ManagementRoleIDsToNotify

This is a comma separated list of the Management Role IDs of the Management Roles to be notified each time an app certificate is created.

DefaultEmailMessageID

This is the ID of the Email Template used to send email notification to each person belonging to the Management Roles specified in the ManagementRoleIDsToNotifiy parameter. Email notifications are sent each time an app certificate is created.

Create Azure Application Client Secrets – Wizard workflow for creating client secrets for Azure applications managed by EmpowerID. The workflow has a number of parameters that can be configured to alter the fields that appear to users running the workflow. See Create Azure Application Client Secrets

Parameter

Purpose

Parameter

Purpose

DefaultAzureTenantID

This is the GUID of the Azure tenant. If the value is present, the “Select a Tenant” drop down will be auto-selected with the specified tenant.

You can find the Tenant ID for your Azure tenant by navigating to
Azure RBAC Manager > Resources and selecting the Tenants tab.

DefaultOrgZoneID

This is the ID of the EmpowerID location where the client secret will be created . If value is present, the “Select a Location” drop down will be auto-selected with the location. The location can be changed as desired on the form.

DefaultSecretExpirationInDays

This is the default client secret expiration in X days from the current date. X days will be added to the current date.

SelectExpiration_IsVisible

Boolean value that specifies whether to show or hide the expiration field on the form.

DefaultShareCredential

Boolean value that specifies whether to enable sharing for all credentials by default.

ShareCredential_IsVisible

Boolean value that specifies whether to show or hide the Share credential checkbox on the form

VaultShareCredential

Boolean value that specifies whether to vault all secrets by default

VaultCredential_IsVisible

Boolean value that specifies whether to show or hide the Vault credential checkbox on the form

DefaultOwnerPersonID

This is the Person ID of the secret owner. If the value is present, the specified person will be the owner for all client app secrets.

SelectAOwner_IsVisible

Boolean value that specifies whether to show or hide the Owner selection drop-down on the form

DefaultExternalCredentialPolicyID

This is the External Credential Policy ID to be assigned to all client secret credentials created.

ManagementRoleIDsToNotify

This is a comma separated list of the Management Role IDs of the Management Roles to be notified each time a client app secret is created.

DefaultEmailMessageID

This is the ID of the Email Template used to send email notification to each person belonging to the Management Roles specified in the ManagementRoleIDsToNotifiy parameter. Email notifications are sent each time a client app secret is created.

Create Azure Application Scopes Wizard workflow for creating scopes for Azure applications managed by EmpowerID. See Add Scopes to Azure Applications.

Create Azure Application Roles – Wizard workflow for creating app roles for Azure applications managed by EmpowerID. See Add App Roles to Azure Applications.

Update Azure App API Permissions – Wizard workflow for managing API permissions for Azure applications managed by EmpowerID. See Update API Permissions of Azure Applications.

Onboarding Wizard Workflows

Onboard Person – Wizard workflow for onboarding people with different options for the onboarding process. The amount of data and options available to users can be controlled via workflow parameters.

Parameter

Description

Parameter

Description

CreationModeListDataItemTypeName

This is a list that contains the available modes for onboarding people.

EmailMessageIdForMgtRoles

Integer that specifies the email message to be sent to all members belonging to the target Management Roles.

EmailMessageIdForNewPerson

Integer that specifies the email message to be sent to the newly onboarded person.

EmailMessageIdForPersonManager

Integer that specifies the email message to be sent to the manager of the newly onboarded person.

IsAssignGroupMembership_IsVisible

Boolean value that determines whether the Assign Group membership section of the workflow is visible to users.

IsAssignMgmtRoleBundleMembership_IsVisible

Boolean value that determines whether the Assign Management Role Bundle Membership section of the workflow is visible to users.

IsAssignObjectVisibilityAccessRoles_IsVisible

Boolean value that determines whether the Assign Visibility Access Role section is visible to users.

IsAssignPreApprovedMgmtRole_IsVisible

Boolean value to determine whether the Assign Pre-Approved Management Roles section of the workflow is visible to users.

IsAssignRbacOperationAccessRoles_IsVisible

Boolean value to determine whether the Assign RBAC Operation Access Roles section of the workflow is visible to users.

IsAssignSecondaryRoleAndLocation_IsVisible

Boolean value to determine whether the Assign Secondary Role and Location section of the workflow is visible to users.

IsAssignUIAccessRoles_IsVisible

 Boolean value that determines whether the Assign UI Access Roles section of the workflow is visible to users.

IsAutoGeneratePassword_IsVisible

Boolean value that specifies whether the Auto Generate Password option is visible to users.

OnboardPersonCreationMode_ItemSetName

Specifies the List Item Set Name containing the creation modes presented to users running the workflow.

OnboardPersonPropertiesToClone

Specifies the properties to clone from a selected person to the new person when running the workflow in Create Person From Another mode. Default properties include:

  • LastName

  • FirstName

  • Address.City

  • Address.State

PersonPropertiesToClone

Specifies the properties to clone from a selected person to the new person when running the workflow in Create Person From Another mode. Default properties include:

  • Name

  • Address

  • ManagerInfo

  • PrimaryLocationAndRole

  • OrganizationBasicInfo

  • OrganizationContactInfo

SendForApproval

Boolean value that specifies whether the onboarding request needs to be routed for human approval before the systems provisions the new person.

Onboard Person Creation Modes:

  • Create Person Simple Mode – This option allows non-technical users to initiate creating a new person, requiring minimal information to be supplied, such as the new person's First Name, Last Name, and primary Business Role and Location.

    • Create Person Advanced Mode – This option requires more information and provides more configuration options, such as assigning the new person to one or more Management Roles and groups.

    • Create Person From Another Mode – This option allows you to create a person using another person as a template for the new person. The amount of information that should be cloned is set via workflow properties.

Onboard Group – Wizard workflow for onboarding groups with different options for choosing group members and eligibility of pre-approved members. This workflow consists of seven steps, with two being based on the current user’s selections. These steps are configurable via workflow parameters.

  • Group Usage Type

    • ShowGroupUsageType – This parameter is used to set up the visibility of the Group usage type dropdown and the value is Boolean (true/false).

    • DefaultGroupUsageTypeId – This parameter is used to set up the default value for the Group Usage Type option list and the user needs to input a valid integer value

  • Membership Options

    • ShowMembershipOptions – Boolean value that determines the visibility of the Group Membership Options section of the workflow

    • ShowPermanentMembersOption – Boolean value that determines the visibility of the Permanent Members Option in the Group Membership Options section of the workflow

    • ShowPreApproveMembershipOptions – Boolean value that determines the visibility of the Pre-approved Members option from the Group Membership Options section of the workflow

Onboard Account – Wizard workflow for onboarding person and non-person technical user accounts with options for vaulting a personal or non-personal credential for the account during the onboarding process. Contextual options are shown to the user depending on the type of account selected.

Onboard Mailbox – Wizard workflow for onboarding shared, room, or equipment mailboxes with options for publishing the mailbox in the IAM Shop, adding the mailbox to groups, configuring eligibility for requesting access to the mailbox (when published in the IAM Shop), and Access Request settings that direct the approval flow process for when users request access.

Onboard Credential – Wizard workflow for onboarding various types of credentials with options for configuring Access Request settings that control check-out and check-in process as well as eligibility settings for who may request the credential from the IAM Shop. The wizard contains steps for assigning owners and deputies as well as an optional step for assigning the credential to a computer for PSM.

Onboard Computer – Wizard workflow for onboarding computers with options for publishing the computer in the IAM Shop, configuring eligibility for the computer (when published in the IAM Shop), configuring Access Request settings that control approval flow for the computer, as well as options for enabling Privileged Session Management (PSM) and linking PSM credentials to the computer.

 

Onboard Management Role – Wizard workflow for onboarding Management Roles with options for selecting role type, parent Management Role Definition, IAM Shop publication, and nested roles.

 

Additional Wizard Workflows

Manage Your Identity Wizard – Wizard workflow with options for users to manage various aspects of their identity to include the following:

Delete an MFA authenticator

Enroll for Q&A password reset

Manage account recovery contacts

Change their password

Edit their profile

Register an MFA authenticator

Login Assistance Wizard Workflow – Presents a wizard with options to assist a person that is having trouble logging in. This wizard workflow provides Send an Azure Temporary Access Pass, Send EmpowerID One-Time Password, Send magic link invitation to change password, Reset Azure MFA for a user to unblock them, Unlock person from Q&A reset, Unenroll a person from Q&A password reset, Unlock a person, and their user accounts options to assist a user to login.

Login Assistance Self-Service Wizard Workflow – Accessible by clicking the Login Assistance Workflow link on the login page, this wizard workflow helps users having the following login issues:

Login Issue

Solution

Login Issue

Solution

Forgot password to Azure or are locked out of Azure

Send an Azure Temporary Access Pass (TAP) to the user

Forgot password to EmpowerID or are locked out of EmpowerID

Reset person and account passwords and unlock the user

Can no longer do MFA to Azure due to lost phone, new email address, etc.

Reset Azure MFA by unenrolling the user’s current MFA configuration in Azure

Can no longer do MFA to EmpowerID due to lost phone, new email address, etc.

Reset EmpowerID MFA by deleting all the user’s MFA assets and preferences

 

Manage Account Wizard Workflow – Wizard workflow with options and actions for managing one or more accounts. Available actions vary depending on the selected option.

Management Options

Management Actions

Management Options

Management Actions

Only One Account

  • Add user to groups

  • Delete user account

  • Edit account attributes

  • Remove user from groups

Multiple accounts

  • Delete user accounts

  • Disable user accounts

  • Enable user accounts

  • Assign a responsible party

Manage Mailbox Wizard Workflow – Wizard workflow with options and actions for managing one or more mailboxes. The wizard performs a live access check on the person running the workflow to display only the actions the person is authorized to perform against the selected mailboxes.

Self-Register Wizard Workflow – Accessible by clicking Sign Up > Partner Self-Register link on the login page, this wizard workflow helps users within a partner organization register for an account in EmpowerID. This new version of the workflow includes more advanced logic to prevent duplicate signup attempts for someone who already exists in the system and it validate the email domain and verifies that the selected OROZID exists before allowing the user to complete the self-registration process.

Create Partner Organization Workflow – Accessible by clicking Sign Up > Partner Company Registration link on the login page, this workflow has been refactored to run through the Business Request engine. Now when an organization seeks to register themselves as a partner, the system creates a Business Request of type Onboard Partner Organization with one approval step. If approved, the system fulfills the request. To support integrating the workflow with the Business Request engine, the following new features were added:

Feature (Type)

Name

Feature (Type)

Name

Resource Type Operation

CreatePartner

Approval Flow Policy

Onboard Partner Organization Policy

Approval Flow Step

Provisioning Organization Approval

Approval Flow Policy Step

Onboard Partner Organization Policy - Provisioning Organization Approval

Business Request Type

Onboard Partner Organization

New Adaptive Card Designer in Workflow Studio

Workflow Studio supports the design and development of adaptive cards for EmpowerID Chatbot. An adaptive card is a commonly used UI component in bot conversation. Adaptive cards are highly interactive since they support using rich text, graphics, input controls, and buttons to gather user input. One of the major advantages of using adaptive cards is the native rendering of the card; because the interface is inherited directly from the host, adaptive cards' UI/ UX appears to match with the framework it is being displayed in. See Adaptive Cards.

Enhancements

EmpowerID UX/UI

  • Upgrade jQuery from version v1.9.1 to v3.6.0

  • Upgrade jQuery UI from v1.12.1 to v1.13.1

  • Upgrade Knockout JS version from v3.4.0 to v3.5.1

  • Some UX/UI improvement/fixes (alignments, icons updates, styles)

  • Browser window resize

  • New design for Add, Edit, and Delete buttons

  • New design for Breadcrumbs

  • Restyle Passwordless Login Workflow

  • Azure RBAC Assignments Fixes

  • Slim Mode Tree – fixed

  • New, improved design for Person - Management Roles table

  • New, improved UI for Location Search

  • Improved UX for section separation

  • A new design for Pop-up and Person Request form

  • New design for Check, Attention, and Undo states

  • Pop-ups are now appearing in a drawer manner

  • New UX/UI for the Top 10

  • New UX for Workflows tabs

  • Security Key or Biometric Authenticator

Workflow Studio

  • Use Microsoft Edge as the default browser for logging into Workflow Studio. Auto-detect and install the WebView2 pre-requisite/dependency if not present

  • Shortcut implementations for Save, Comment, and Uncomment code

  • WFS Activities for invoking AAD and EXO PowerShell microservice endpoints

  • WFS Activity to send a message to Teams channel. The base activity name is TeamsChannelMessageActivity.

  • WFS activity for generating Business Request items in a WF for group membership The base activity name is UpdateGroupRBACMembershipActivity.

  • WFS activity named UpdateEligibilityAssignments that adds or removes eligibility assignments (Eligible, Suggested, PreApproved)

  • WFS .NET 6 templates for creating Microservices, SCIM Microservices, Azure functions (isolated & in-process)

  • Added a new control for OrgRoleOrgZonePicker form control.

EmpowerID Chatbot

  • Add Connect to computer bot flow

  • Create/View Shared and Vault Credentials bot flows

  • Support for “Things to Manage” and “Things to Do” in Bot

  • Update Adaptive Cards in the Bot Flows with latest features like password masking, validations, search dropdown

  • Support for LUIS

EmpowerID Mobile App

  • Add EmpowerID Chatbot

  • Important security and reliability updates

Azure AD

  • Upgrade the Azure AD SCIM Microservice from .NET 5 to .NET 6

  • Improve the Azure application onboarding workflow to support additional capabilities for OIDC, Non-gallery & gallery apps

  • Added the ability to inventory Exchange Online mailbox-level permissions

Resource Admin Microservice

  • Applications

    • Azure Application Secrets

    • Azure Application Certificates

    • Azure Applications Scopes

    • Azure Application Roles

    • Azure Applications API Permissions

    • Contextual Workflows for Applications and for an Application in particular

  • Groups

    • List View / Tab View for all Groups you are an owner of or that are owned by someone else.

    • Overview of a Group

    • Rights of a Group

    • Local Sensitive Functions of a Group

    • Member of a Group

    • Membership Changes for a Group

    • Resultant Members of a Group

    • Contextual Workflows for Groups and for a Group in particular

  • Management Roles

    • List View / Tab View for all Management Roles, you are an owner of or that are owned by someone else

    • Overview of Management Roles

    • Rights of Management Roles

    • Sensitive Functions of Management Roles

    • All Members of Management Roles

    • People as Members for a Management Role

    • Contextual Workflows for All Management Roles and for a Management Role in particular

    • Added Optimize tab in the View One Management Role Page that provides quick access to visual dashboards of information related to Management Role memberships.

    • Added Optimize tab in the View One Group Page.

  • Access Levels

    • Added the ability for customers to keep changes to shipping ResourceTypeRoleOperation by allowing them to add new and disable existing ones

IAM Shop Microservice

  • Mailboxes

    • List View / Tab View list of all Mailboxes you are Eligible or Preapproved to Request Access

    • Request Access for a Mailbox Permission Level

    • Managing Access for a Mailbox Permission Level

  • Shared Folders

    • List View / Tab View list of all Shared Folders you are Eligible or Preapproved to Request Access

    • Request Access for a Shared Folder Permission Level

    • Managing Access for a Shared Folder Permission Level

  • Credentials

    • List View / Tab View list of all Credentials you are Eligible or Preapproved to Request Access

    • Request Access to checkout a Credential

      • For One Time Check-Out

      • To be Preapproved for Unlimited Number of Check-Outs

    • Managing Access for Credentials with ability to:

      • Checkout / Check-in Credentials

      • View Checkout History

  • Computers

    • List View / Tab View list of all Computers you or someone else is Eligible or Preapproved to Request Access

    • Request Access to Connect to a Computer:

      • Membership-Based Access for a certain Permission Level

      • Login Session Access (PSM Enabled)

        • For One Time Connect

        • To be Preapproved for an Unlimited Number of Connections

    • Managing Access for Computers:

      • Membership-Based Access for a certain Permission Level

      • Login Session Access (PSM Enabled)

        • Connect / Reconnect / Disconnect from a Computer

      • View Login Session History for Computers

  • Groups

    • Introduced the ability to Activate Now for Preapproved Membership if BypassBusinessRequestWhenPreApproved is set to TRUE in the Access Request Policy to directly add the person to pre-approved Groups

  • Management Roles

    • Introduced the ability to Activate Now for Preapproved Membership if BypassBusinessRequestWhenPreApproved is set to TRUE in the Access Request Policy to add the person to pre-approved Management Roles directly

  • Added Contextual Workflows to Each Resource Type

  • Added the ability to fill in dynamic attributes defined for a resource in the IAM Shop when requesting access to a resource

Risk Analytics Microservice

  • View Risk Stats Analytics Dashboard

  • View Risk Reports

My Identity Microservice

  • Change the time zone for a person

  • Set the out of office status for a person

PowerShell Microservice

  • Teams Powershell Microservice that can execute MSTeams cmdlets.

  • MSOnline PowerShell Microservice that can execute MSOnline cmdlets.