Home » 2016 » June » 28

Daily Archives: 28 June, 2016

Understand the components of PAM

Privileged Access Management keeps administrative access separate from day-to-day user accounts. This solution relies on parallel forests:+

  • CORP: Your general-purpose corporate forest that includes one or more domains. While you may have multiple CORP forests, the examples in these articles assume a single forest with a single domain for simplicity.
  • PRIV: A dedicated forest created especially for this PAM scenario. This forest includes one domain to accommodate privileged groups and accounts which are shadowed from one or more CORP domains.

The MIM solution as configured for PAM includes the following components:

  • MIM Service: implements business logic for performing identity and access management operations, including privileged account management and elevation request handling.
  • MIM Portal: a SharePoint-based portal, hosted by SharePoint 2013, which provides an administrator management and configuration UI.
  • MIM Service Database: stored in SQL Server 2012 or 2014, and holds identity data and meta-data required for MIM Service.
  • PAM Monitoring Service and PAM Component Service: two services that manage the lifecycle of privileged accounts and assists the PRIV AD in group membership lifecycle.
  • PowerShell cmdlets: for populating MIM Service and PRIV AD with users and groups that correspond to the users and groups in the CORP forest for PAM administrators, and for end users requesting just-in-time (JIT) use of privileges on an administrative account.
  • PAM REST API and sample portal: for developers integrating MIM in the PAM scenario with custom clients for elevation, without needing to use PowerShell or SOAP. The use of the REST API is demonstrated with a sample web application.

Once installed and configured, each group created by the migration procedure in the PRIV forest is a shadow SIDHistory-based security group (or in a later update with Windows Server vNext, a foreign principal group) mirroring the SID group in the original CORP forest. Furthermore, when the MIM Service adds members to these groups in the PRIV forest, those memberships will be time limited.

As a result, when a user requests elevation using the PowerShell cmdlets, and their request is approved, the MIM Service will add their account in the PRIV forest to a group in the PRIV forest. When the user logs in with their privileged account, their Kerberos token will contain a Security Identifier (SID) identical to the SID of the group in the CORP forest. Since the CORP forest is configured to trust the PRIV forest, the elevated account being used to access a resource in the CORP forest appears, to a resource checking the Kerberos group memberships, be a member of that resource’s security groups. This is provided via Kerberos cross-forest authentication.

Furthermore, these memberships are time limited so that after a preconfigured interval of time, the user’s administrative account will no longer be part of the group in the PRIV forest. As a result, that account will no longer be usable for accessing additional resources.

Source: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/principles-of-operation

Privileged Access Management for Active Directory Domain Services

IN THIS ARTICLE

Privileged Access Management (PAM) is a solution that is based on Microsoft Identity Manager (MIM), Windows Server 2012 R2, and Windows Server Technical Preview. It helps organizations restrict privileged access within an existing Active Directory environment.

NOTE

PAM is an instance of Privileged Identity Management (PIM) that is implemented using Microsoft Identity Manager (MIM).

Privileged Access Management accomplishes two goals:

  • Re-establish control over a compromised Active Directory environment by maintaining a separate bastion environment that is known to be unaffected by malicious attacks.
  • Isolate the use of privileged accounts to reduce the risk of those credentials being stolen.

What problems does PAM help solve?

A real concern for enterprises today is resource access within an Active Directory environment. Particularly troubling is news about vulnerabilities, unauthorized privilege escalations, and other types of unauthorized access including pass-the-hash, pass-the-ticket, spear phishing, and Kerberos compromises.

Today, it’s too easy for attackers to obtain Domain Admins account credentials, and it’s too hard to discover these attacks after the fact. The goal of PAM is to reduce opportunities for malicious users to get access, while increasing your control and awareness of the environment.

PAM makes it harder for attackers to penetrate a network and obtain privileged account access. PAM adds protection to privileged groups that control access across a range of domain-joined computers and applications on those computers. It also adds more monitoring, more visibility, and more fine-grained controls so that organizations can see who their privileged administrators are and what are they doing. PAM gives organizations more insight into how administrative accounts are used in the environment.

How is PAM set up?

PAM builds on the principle of just-in-time administration, which relates to just enough administration (JEA). JEA is a Windows PowerShell toolkit that defines a set of commands for performing privileged activities and an endpoint where administrators can get authorization to run those commands. In JEA, an administrator decides that users with a certain privilege can perform a certain task. Every time an eligible user needs to perform that task, they enable that permission. The permissions expire after a specified time period, so that a malicious user can’t steal the access.

PAM setup and operation has four steps.

PAM steps: prepare, protect, operate, monitor - diagram

  1. Prepare: Identify which groups in your existing forest have significant privileges. Recreate these groups without members in the bastion forest.

  2. Protect: Set up lifecycle and authentication protection, such as Multi-Factor Authentication (MFA), for when users request just-in-time administration. MFA helps prevent programmatic attacks from malicious software or following credential theft.

  3. Operate: After authentication requirements are met and a request is approved, a user account gets added temporarily to a privileged group in the bastion forest. For a pre-set amount of time, the administrator has all privileges and access permissions that are assigned to that group. After that time, the account is removed from the group.

  4. Monitor: PAM adds auditing, alerts, and reports of privileged access requests. You can review the history of privileged access, and see who performed an activity. You can decide whether the activity is valid or not and easily identify unauthorized activity, such as an attempt to add a user directly to a privileged group in the original forest. This step is important not only to identify malicious software but also for tracking "inside" attackers.

How does PAM work?

PAM is based on new capabilities in AD DS, particularly for domain account authentication and authorization, and new capabilities in Microsoft Identity Manager. PAM separates privileged accounts from an existing Active Directory environment. When a privileged account needs to be used, it first needs to be requested, and then approved. After approval, the privileged account is given permission via a foreign principal group in a new bastion forest rather than in the current forest of the user or application. The use of a bastion forest gives the organization greater control, such as when a user can be a member of a privileged group, and how the user needs to authenticate.

Active Directory, the MIM Service, and other portions of this solution can also be deployed in a high availability configuration.

The following example shows how PIM works in more detail.

PIM process and participants - diagram

The bastion forest issues time-limited group memberships, which in turn produce time-limited ticket-granting tickets (TGTs). Kerberos-based applications or services can honor and enforce these TGTs, if the apps and services exist in forests that trust the bastion forest.

Day-to-day user accounts do not need to move to a new forest. The same is true with the computers, applications, and their groups. They stay where they are today in an existing forest. Consider the example of an organization that is concerned with these cybersecurity issues today, but has no immediate plans to upgrade the server infrastructure to the next version of Windows Server. That organization can still take advantage of this combined solution by using MIM and a new bastion forest, and can better control access to existing resources.

PAM offers the following advantages:

  • Isolation/scoping of privileges: Users do not hold privileges on accounts that are also used for non-privileged tasks like checking email or browsing the Internet. Users need to request privileges. Requests are approved or denied based on MIM policies defined by a PAM administrator. Until a request is approved, privileged access is not available.

  • Step-up and proof-up: These are new authentication and authorization challenges to help manage the lifecycle of separate administrative accounts. The user can request the elevation of an administrative account and that request goes through MIM workflows.

  • Additional logging: Along with the built-in MIM workflows, there is additional logging for PAM that identifies the request, how it was authorized, and any events that occur after approval.

  • Customizable workflow: The MIM workflows can be configured for different scenarios, and multiple workflows can be used, based on the parameters of the requesting user or requested roles.

How do users request privileged access?

There are a number of ways in which a user can submit a request, including:

  • The MIM Services Web Services API
  • A REST endpoint
  • Windows PowerShell (New-PAMRequest)

What workflows and monitoring options are available?

As an example, let’s say a user was a member of an administrative group before PIM is set up. As part of PIM setup, the user is removed from the administrative group, and a policy is created in MIM. The policy specifies that if that user requests administrative privileges and is authenticated by MFA, the request is approved and a separate account for the user will be added to the privileged group in the bastion forest.

Assuming the request is approved, the Action workflow communicates directly with bastion forest Active Directory to put a user in a group. For example, when Jen requests to administer the HR database, the administrative account for Jen is added to the privileged group in the bastion forest within seconds. Her administrative account’s membership in that group will expire after a time limit. With Windows Server Technical Preview, that membership is associated in Active Directory with a time limit; with Windows Server 2012 R2 in the bastion forest, that time limit is enforced by MIM.

NOTE

When you add a new member to a group, the change needs to replicate to other domain controllers (DCs) in the bastion forest. Replication latency can impact the ability for users to access resources. For more information about replication latency, see How Active Directory Replication Topology Works.

In contrast, an expired link is evaluated in real time by the Security Accounts Manager (SAM). Even though the addition of a group member needs to be replicated by the DC that receives the access request, the removal of a group member is evaluated instantaneously on any DC.

This workflow is specifically intended for these administrative accounts. Administrators (or even scripts) who need only occasional access for privileged groups, can precisely request that access. MIM logs the request and the changes in Active Directory, and you can view them in Event Viewer or send the data to enterprise monitoring solutions such as System Center 2012 – Operations Manager Audit Collection Services (ACS), or other third-party tools.

Source: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

Working with the MIM Certificate Manager

IN THIS ARTICLE

After you have MIM 2016 and Certificate Manager up and running, you can deploy the MIM Certificate Manager Windows store application so that your users can easily manage their physical smart cards, virtual smart cards and software certificates. The steps to deploy MIM CM app are as follows:

  1. Create a certificate template.

  2. Create a profile template.

  3. Prepare the app.

  4. Deploy the app via SCCM or Intune.

Create a certificate template

You create a certificate template for the CM app the same way you ordinarily would, except that you have to make sure that the certificate template is version 3 and up.

  1. Log into the server running AD CS (the certificate server).

  2. Open the MMC.

  3. Click File > Add/Remove Snap-in.;

  4. In the Available snap-ins list, click Certificate Templates and then click Add.

  5. You will now see Certificate Templates under Console Root in the MMC. Double click it to view all the available certificate templates.

  6. Right-click the Smartcard Logon template and click Duplicate Template.

  7. On the Compatibility tab, under Certification Authority select Windows Server 2008 and under Certificate Recipient select Windows 8.1/Windows Server 2012 R2. This step is crucial because it makes sure that you have a version 3 (or higher) certificate template, and only version 3 works with the certificate manager app. Because the version is set the first time you create and save the certificate template, if you didn’t create the certificate template in this way there is no way to modify it to the correct version and you should create a new one before proceeding.

  8. On the General tab, in the Display Name field, type the name you want to appear in the app’s UI, such as Virtual Smart Card Logon.

  9. On the Request Handling tab, set the Purpose to Signature and encryption and under Do the following… select Prompt the user during enrollment.

  10. On the Cryptography tab under Provider Category, select Key Storage Provider and Requests can use any provider available on the subject’s computer.

    NOTE

    You will only see Key Storage Provider as an option if your template is version 3. If you don’t see it, you probably didn’t create the certificate template correctly with the correct version. Start over with step 5, above.

  11. On the Security tab, add the security group that you want to provide Enroll access for. For example, if you want to provide access to all users, select the Authenticated users group and then select Enroll permissions for them.

  12. Click OK to finalize your changes and create the new template. You should be able to see your new template in the list of Certificate Templates.

  13. Select File and click Add/Remove Snap-in to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select Local Computer.

  14. In the left pane of the MMC, expand Certification Authority (Local) and then expand your CA within the Certification Authority list.

  15. Right-click Certificate Templates, click New > Certificate Template to Issue.

  16. From the list select the new template you created and click OK.

Create a profile template

Make sure when you create a profile template to set it to create/destroy the vSC and to remove the data collection. The CM app cannot handle collected data, so it’s important to disable it, as follows.

  1. Log into the CM portal as a user with administrative privileges.

  2. Go to Administration > Manage Profile templates and make sure that the box is checked next to MIM CM Sample Smart Card Logon Profile Template and then click on Copy a selected profile template.

  3. Type the name of the profile template and click OK.

  4. In the next screen, click Add new certificate template and make sure to check the box next to the CA name.

  5. Check the box next to the name of the profile template Logon and click Add.

  6. Remove the SmartCardLogon template by checking the box next to it and then clickingDelete selected certificate templates and then OK.

  7. Scroll down to the bottom and click Change settings.

  8. Check the boxes next to Create/Destroy virtual smart card and Diversify Admin Key.

  9. Under User PIN Policy select User Provided.

  10. In the left pane, click Renew Policy > Change general settings. Select Reuse card on renewand click OK.

  11. You have to disable data collection items for each and every policy by clicking on the policy in the left pane, and then checking the box next to Sample data item and then click Delete data collection items. Then click OK.

Prepare the CM app for deployment

  1. In the command prompt, run the following command to unpack the app and extract the content into a new subfolder named appx and create a copy so that you don’t modify the original file.

    makeappx unpack /l /p <app package name>.appx /d ./appx
    ren <app package name>.appx <app package name>.appx.original
    cd appx
    
  2. In the appx folder, change the name of the file called CustomDataExample.xml to Custom.data

  3. Open the Custom,data file and modify the parameters as necessary.

    MIMCM URL The FQDN of the portal you used to configure CM. For example,https://mimcmServerAddress/certificatemanagement
    ADFS URL If you will be using AD FS, insert your AD FS URL. For example,https://adfsServerSame/adfs
    PrivacyUrl You can include an URL to a web page explaining what you do with the user details collected for certificate enrollment.
    SupportMail You can include an email address for support issues.
    LobComplianceEnable You can set this to true or false. By default it’s set to true.
    MinimumPinLength By default it’s set to 6.
    NonAdmin You can set this to true or false. By default it’s set to false. Only modify this if you want users who are not admins on their computers to be able enroll and renew certificates.
  4. Save the file and exit the editor.

  5. Signing the package creates a signing file, so you have to delete the original signing file named AppxSignature.p7x.

  6. The AppxManifest.xml file specifies the subject name of the signing certificate. Open this file to edit it.

  7. You need to obtain a signing certificate before starting this section. See below, Enabling smartcard renewal for non-admins in MIM 2016 Certificate Manager, step 1.

  8. In the <Identity> element, modify the value of the Publisher attribute to be identical to the subject listed in your signing certificate, for example “CN=SUBJECT”.

  9. Save the file and exit the editor.

  10. In the command prompt, run the following command to repack and sign the .appx file.

    cd ..
    makeappx pack /l /d .\appx /p <app package name>.appx
    

    where app package name is the same name you used when you created the copy.

    signtool sign /f <path\>mysign.pfx /p <pfx password> /fd "sha256" <app package name>.ap
    px
    

    This provides the new .appx file. The pfx file provides a location for the signing certificate and a password for the .pfx file.

  11. To work with AD FS Authentication:

    • Open the Virtual Smart Card application. This makes it easier for you to find the values needed for the next step.

    • To add the application as a client onto the AD FS server and configure CM on the server, on the AD FS server, open Windows PowerShell and run the commandConfigureMimCMClientAndRelyingParty.ps1 –redirectUri <redirectUriString> -serverFQDN <MimCmServerFQDN>

      The following is the ConfigureMimCMClientAndRelyingParty.ps1 script:

      # HELP
      
      <#
      .SYNOPSIS
                      Configure ADFS for CM client app and server.
      .DESCRIPTION
         What the Script does:
                                      a. Registers the MIM CM client app on the ADFS server.
                                      b. Registers the MIM CM server relying party (Tells the ADFS server that it issues tokens for the CM server).
                      For parameter information, see 'get-help -detailed'
      .PARAMETER redirectUri
                      The redirectUri for CM client app. Will be added to ADFS server.
                      It can be found as follows:
                      1. Open the settings panel. Under settings, there is a "Redirect Uri" text box (an ADFS server address must be configured in order for the text to display).
                      2. Open MIM CM client app. Navigate to 'C:\Users\<your_username>\AppData\Local\Packages\CmModernAppv.<version>\LocalState', and open 'Logs_Virtual Smart Card Certificate Manager_<version>'. Search for "Redirect URI".
      .PARAMETER serverFqdn
                      Your deployed MIM CM server’s FQDN.
      .EXAMPLE
         .\ConfigureMimCMClientAndRelyingParty.ps1 -redirectUri ms-app://s-1-15-2-0123456789-0123456789-0123456789-0123456789-0123456789-0123456789-0123456789/ -serverFqdn WIN-TRUR24L4CFS.corp.cmteam.com
      #>
      
      # Parameter declaration
      [CmdletBinding()]
      Param(
        [Parameter(Mandatory=$True)]
         [string]$redirectUri,
      
         [Parameter(Mandatory=$True)]
         [string]$serverFqdn
      )
      
      Write-Host "Configuring ADFS Objects for OAuth.."
      
      #Configure SSO to get persistent sign on cookie
      Set-ADFSProperties -SsoLifetime 2880
      
      #Configure Authentication Policy
      #Intranet to use Kerberos
      #Extranet to use U/P
      
      #Create Client Objects
      
      Write-Host "Creating Client Objects..."
      
      $existingClient = Get-ADFSClient -Name "MIM CM Modern App"
      
      if ($existingClient -ne $null)
      {
          Write-Host "Found existing instance of the MIM CM Modern App, removing"
          Remove-ADFSClient -TargetName "MIM CM Modern App"
          Write-Host "Client object removed"
      }
      
      Write-Host "Adding Client Object for MIM CM Modern App client"
      Add-ADFSClient -Name "MIM CM Modern App" -ClientId "70A8B8B1-862C-4473-80AB-4E55BAE45B4F" -RedirectUri $redirectUri
      Write-Host "Client Object for MIM CM Modern App client Created"
      
      #Create Relying Parties
      Write-Host "Creating Relying Party Objects"
      
      $existingRp = Get-ADFSRelyingPartyTrust -Name "MIM CM Service"
      if ($existingRp -ne $null)
      {
          Write-Host "Found existing instance of the MIM CM Service RP, removing"
          Remove-ADFSRelyingPartyTrust -TargetName "MIM CM Service"
          Write-Host "RP object Removed"
      }
      
      $authorizationRules =
      "@RuleTemplate = `"AllowAllAuthzRule`"
      => issue(Type = `"http://schemas.microsoft.com/authorization/claims/permit`", Value = `"true`");"
      
      $issuanceRules =
      "@RuleTemplate = `"LdapClaims`"
      @RuleName = `"Emit UPN and common name`"
      c:[Type == `"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname`", Issuer == `"AD AUTHORITY`"]
      => issue(store = `"Active Directory`", types =
      (`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`",
      `"http://schemas.xmlsoap.org/claims/CommonName`"), query =
      `";userPrincipalName,cn;{0}`", param = c.Value);
      
      @RuleTemplate = `"PassThroughClaims`"
      @RuleName = `"Pass through Windows Account Name`"
      c:[Type ==`"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname`"] => issue(claim = c);"
      
      Write-Host "Creating RP Trust for MIM CM Service"
      Add-ADFSRelyingPartyTrust -Name "MIM CM Service" -Identifier ("https://"+$serverFqdn+"/certificatemanagement") -IssuanceAuthorizationRules $authorizationRules -IssuanceTransformRules $issuanceRules
      Write-Host "RP Trust for MIM CM Service has been created"
      
    • Update the values of redirectUri and serverFQDN.

    • To find the redirectUri, in the Virtual Smart Card application, open the application settings panel, click Settings, and the redirect URI should be listed under the AD FS server address bar. The URI will only appear if an ADFS server address is configured.

    • The serverFQDN, is the MIMCM server full computer name only.

    • For help with the ConfigureMIimCMClientAndRelyingParty.ps1 script, run get-help -detailed ConfigureMimCMClientAndRelyingParty.ps1

Deploy the app

When you set up the CM app, in the Download Center, download the file MIMDMModernApp_<version>_AnyCPU_Test.zip and extract all its contents. The .appx file is the installer. You can deploy it in any way you ordinarily deploy Windows store apps, using System Center Configuration Manager, or Intune to sideload the app so that users will have to access it through the Company Portal or will get it pushed directly to their machines.

– Working with Identity Manager Hybrid Reporting

Working with Identity Manager Hybrid Reporting
IN THIS ARTICLE

Available hybrid reports

The first three Microsoft Identity Manager (MIM) reports available in Azure AD are Password reset activity, Password reset registration and Self-service groups activity.

  • Password reset activity displays each instance when a user performed password reset using the SSPR and provides the gates or Methods used for authentication.

    Azure hybrid reporting - password reset activity image

  • Password reset registration displays each time a user registers for the SSPR and the Methodsused to authenticate, for example a mobile phone number or questions and answers. Note that for Password reset registration, no differentiation is made between SMS gate and MFA gate – both are considered Mobile Phone.

  • Self-service groups activity displays each attempt made by someone to add themselves to or delete themselves from a group and group creation.

NOTE

The reports currently present data for up to one month back.

If you want to uninstall hybrid reports, uninstall the MIMreportingAgent.msi agent.

Prerequisites

  1. Install Microsoft Identity Manager 2016 including the MIM service.

  2. Make sure you have an Azure AD Premium tenant with a licensed administrator in your directory.

  3. Make sure you have outgoing Internet connectivity from the Microsoft Identity Manager server to Azure.

Install Microsoft Identity Manager Reporting in Azure AD

After the reporting agent is installed, the data from Microsoft Identity Manager activity is exported from MIM to windows event log. The MIM reporting agent processes the events, and uploads to Azure. In Azure, the events are parsed, decrypted, and filtered for the required reports.

  1. Install Microsoft Identity Manager 2016.

  2. Download the Microsoft Identity Manager reporting agents:

    1. Log into the Azure AD management portal and click on the Active Directory icon.

    2. Double click on the directory for which you are a Global Administrator and you have an Azure AD Premium subscription.

    3. Click Configuration and download the reporting agent.

  3. Install the Microsoft Identity Manager reporting agent:

    1. Create a directory on the computer.

    2. Extract the files MIMHybridReportingAgent.msi and tenant.cert into the directory.

    3. Run the agent installer.

    4. Make sure that the MIM reporting agent service is running

    5. Restart the MIM Service.

  4. Validate that Microsoft Identity Manager Reporting is working in Azure.

    You can create report data by using the Microsoft Identity Manager Self Service Password Reset Portal to reset a user’s password. Make sure that the password reset completed successfully and then check that the data is displayed in the Azure AD management portal.

View hybrid reports in the Azure classic portal

  1. Log into the Azure classic portal with your global admin account for the tenant.

  2. Click the Active Directory icon.

  3. Select the tenant directory from the list of available directories for your subscription.

  4. Click Reports and then Password Reset Activity.

  5. Make sure you select Identity Manager in the source drop down menu.

WARNING

It can take some time for Microsoft Identity Manager data to appear in Azure AD.

Stop creating hybrid reports

If you want to stop uploading reporting data from Microsoft Identity Manager to Azure Active Directory, uninstall the hybrid reporting agent. Use the Windows Add or Remove Programs tool to uninstall Microsoft Identity Manager Hybrid Reporting.

Windows events used for hybrid reporting

Events generated by Microsoft Identity Manager are logged in the Windows Event Log, and are visible in the Event Viewer under: Application and Services logs-> Identity Manager Request Log. Each MIM request is exported as an event in the Windows Event Log in JSON structure. This can be exported to your SIEM.

EVENT TYPE ID EVENT DETAILS
Information 4121 MIM event data that includes all the request data.
Information 4137 MIM event 4121 extension, in the case there is too much data for a single event. The header in this event is in the following form: "Request: <GUID> , message <xxx> out of <xxx>

Source: https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/working-with-identity-manager-hybrid-reporting

Deploy the MIM Password Change Notification Service on a domain controller

Install the Password Change Notification Service

The Password Change Notification Service (PCNS) is a service that you install on the domain controllers that enables synchronization of passwords by MIM to other systems, such as another vendor’s directory server. For password synchronization, install the PCNS on each domain controller server.

  1. Login as a domain administrator to a Server running on Windows Server with the role of an Active Directory Domain Services.

  2. Copy the Password Change Notification Service setup folder to the computer.

  3. Locate the Password Change Notification Service.msi file, right click on it, and create a shortcut.

  4. Locate the shortcut file, right click, and bring up its Properties.

  5. In the Target field add the preamble msiexec.exe /i before the path to the msi file, and the suffix SCHEMAONLY=TRUE after the msi path. For example, if the setup folder is C:\PCNS the command to run would look like this: (all in one line).

    msiexec.exe /i "C:\PCNS\x64\Password Change Notification Service.msi" SCHEMAONLY=TRUE
    
  6. Save changes to the shortcut file.

  7. Run the shortcut file to start the PCNS installation in schema extension mode. When the following screen appears, click Next.

  8. You will be notified that Setup will now update the Active Directory schema for the Password Change Notification Service. Click OK to proceed with the schema update.

  9. When the Schema extension process completes, and the following screen appears, clickFinish.

  10. Run the Password Change Notification Service.msi file again – this time directly (no run string is needed). When the following screen appears, click Next.

  11. Accept the license agreement and click Next.

  12. Click to begin the installation.

  13. When the installation completes successfully screen appears, click Finish.

  14. Restart your computer for the configuration changes made to MIM Password Change Notification Service to take effect. You can do it by clicking Yes in the pop-up window that appears, or you can restart later.

Configuring the Password Change Notification Service

Once reconnected to the DC server as a domain administrator, go to C:\Program Files\Microsoft Password Change Notification. Run pcnscfg.exe.

Source: https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/deploying-mim-password-change-notification-service-on-domain-controller