With all the excitement this week of the announcement of the Azure AD and SailPoint collaboration, it got me thinking about how the Microsoft IAM landscape is continuing to evolve both on premises and in the Microsoft cloud. The message has always been very clear – use MIM for traditional identity life-cycle provisioning (joiners) and sync (movers/leavers) to AD, and use AAD Connect as the identity bridge between AD and your AAD tenant. Nothing has really changed in this specific regard – rather we now have some significant post-account provisioning technology to leverage for access management, which to be fair has been rather lacking for some time.
For me this is a god-send for those who might still be looking for business justification to invest in an IdM solution based on MIM 2016, typically driving identity life-cycle from a suitable authoritative source such as a modern HR system (one that is always up to date and a great source of change events). Why? Because unless you’re reeling in the wake of a security breach and have no choice but to attain compliance over your identity store, the benefits in terms of $$$ savings through improvements in identity provisioning efficiency often don’t seem to resonate loud enough with those holding the corporate purse strings. However, when you combine this with features such as Azure Advanced Threat Analytics, automated AAD provisioning to cloud apps such as Salesforce, and now advanced identity governance across your on-premises and cloud resources with SailPoint, the value-add of a sound MIM 2016 platform starts to shine through.
So with this in mind, I expect more people without any MIM or FIM experience will be turning their attention to what they can do right now to leverage the rapidly growing list of benefits, and for my money this has always been a simple HR-driven Synchronization solution for joiners, movers and leavers. Get this right and everything else flows on from this.
So I guess most people would start with the following MS links:
… but where would they go from here?
Given that’s not so clear, I thought I would share my own quick Starter Pack for people new to this piece of Microsoft kit which has been part of the fold since basically the beginning of the millennium. Hope you find this one as useful as others have done. Although references are mostly to FIM 2010, they apply equally to MIM 2016 (or ILM and MIIS before that).
Since putting this together I’ve become aware of this WIKI article on the same subject, but I wanted to share my own list nonetheless. Let me know in the comments if you feel I have left out anything significant. At some stage I will probably remove the section below and update the WIKI, but for now, enjoy.
This is a VERY short introductory online video – 3 minutes 44 seconds
“About This Video: The ability to manage distributed identity information from a central point is key component of the Microsoft Forefront Identity Manager (FIM) 2010 architecture. This process is governed by a well-defined and customizable set of synchronization rules. This video introduces you to the central concepts of inbound and outbound synchronization in FIM.”
For more information see
Note: the second 2 topics are linked from the first.
This is a short technical article on a fundamental concept our solution uses continually every 2 hourly sync cycle.
“Run profiles specify the parameters with which a management agent is run in Microsoft® Forefront® Identity Manager (FIM) 2010 R2. You can create one or multiple run profiles for a management agent. Further, each profile consists of one or more steps. By combining steps in a profile, you can more accurately control how your data is processed.”
This is an archive old FIM 2010 training material, some of which is no longer available. At one stage there was a Microsoft TechNet online resource comprising 3 modules that are essential understanding any synchronization solution. While it has been mostly superseded, I still find this material very useful.
Note: – the first module is only 1 hour and should be watched only after watching the above video and reading the above 3 articles.
“This course introduces and explains the features and capabilities of Microsoft Forefront Identity Manager 2010 (FIM), and provides an overview of the solution scenarios that FIM addresses. The course format includes presentation, discussion, demonstration, and many hands-on exercises. It is intended for students who have no previous Forefront Identity Manager 2010 or Microsoft Identity Lifecycle Manager 2007 (ILM) experience.
After completing this course, students will be able to:
· Understand FIM concepts and components.
· Identify appropriate FIM scenarios.
· Manage users, groups, and passwords using FIM.
· Synchronize identity data across systems, such as Active Directory and HR.
· Understand the issues involved in loading data (initial load, backup, and disaster recovery).
· Configure security for different levels of user.
· Manage password self-service reset and synchronization.
· Automate run cycles.
· Handle sets, simple workflows, and management policy rules (MPRs).”
Although the virtual labs are not available for modules #1 or #2, the article (PDF) and video (WMV) can still be downloaded and should be watched/followed to achieve the level of understanding you will need.
This guide contains instructions for setting up the Forefront Identity Manager 2010 Synchronization Service in a test lab based one new server computer, two preexisting server computers, and one preexisting client computer. The resulting Forefront Identity Manager 2010 Synchronization Service test lab demonstrates and verifies installation. This test lab guide is a smaller modified version of the Forefront Identity Manager 2010 test lab guide. This test lab guide is being provided for situations where a full installation of Forefront Identity Manager 2010 is not required. This test lab guide does not cover installing the Forefront Identity Manager 2010 portal or any of the features that require a full installation of Forefront Identity Manager 2010. This guide should only be used when only the Forefront Identity Manager 2010 Synchronization Service is required.