We have Deployed Microsoft Identity Manager 2016 SP1 on Windows Server 2012 R2 and the Microsoft Identity Manager Hybrid Report Agent, ahead of a roll out of MIM SSPR to our clients.
The agent is installed successfully and events are being shipped to Azure and appearing in the Password Reset Activity Report. However, the report only contains the successful events, none of the unsuccessful events.
Using the Classic Portal, under the "Subscription Reports - Password Reset Activity - Source = Identity Manager" the report contains only events that are in the "Succeeded" state.
Looking at the "Identity Manager Request Log" on the on premise server, I can see that there are 4121 Events written to the log for unsuccessful events, however, these events are not being shipped to Azure.
Looking at the Azure AD version of the report, "Failed" and "Abandoned" events are logged.
This reporting is required to provide an audit trail of users’ successful and unsuccessful attempts to undertake SSPR.
Is there a configuration setting for sending unsuccessful gate authentication events to Azure?
If not, is this behaviour by design or a bug?
[Further update...]
Looking at the JSON data in the 4121 event, there is an Exception logged, I wonder if the event is mangled and that is why the agent is failing to upload it? There is a corresponding Event ID 2 in the FIM Event log "Exception of type 'System.Workflow.ComponentModel.WorkflowTerminatedException' was thrown."
The following is extracted from the parsed JSON in the 4121 event :
DisplayName : Password Reset AuthN Workflow
ObjectType : WorkflowInstance
WorkflowStatus : Terminated
WorkflowStatusDetail : EXCEPTION DATA\\r\\n\\r\\nMESSAGE: Exception of type 'System.Workflow.ComponentModel.WorkflowTerminatedException' was thrown.\\r\\n\\r\\n"
Thank you,
Alastair.