What’s new in 2020 with Identity Management at Microsoft?

I don’t know who it was who first said “Identity is the new security plane”, but I expect it was someone with a Microsoft persuasion, and maybe they saw this all coming … who knows?  All I can say is this: what a dynamic time it is to find myself Microsoft Enterprise Identity Practice Lead at UNIFY!

This is particularly so with the rapid evolution of three key Azure AD concepts:

Some fine work last weekend by Microsoft’s Alexander Filpin completed the 6th of his series of excellent blog posts on the above topics, so if you’re new to any of these concepts, or haven’t seen any of the latest offerings to become generally available very late last year, please take the time to read all 6 in sequence – then please come back when you’re done so I can knock your socks off even more!  While you’re catching up, here’s some excellent wait music for you … I’ll be here when you get back to bring us back to Earth with some innovative ideas for you.

So what about MIM?

If your thoughts were anything like mine, you’ll probably be more than curious by now, and perhaps even thinking of trying some of the concepts out for yourself, and keen to create your first “access package” so you can see what https://myaccess.microsoft.com/ looks like not only for users in your own organisation, but for B2B partners looking to access your corporate resources as well!

But what about all those 4 MIM references in that 6th post – what did you think when you saw that?  I can guess – you’ve found the catch, right?  If I want pull-through to my on-premises AD-secured network I need to use MIM?  Well of course you can use MIM – and for 15 years that’s been the focus of my own career at UNIFY (particularly my time in the MVP ranks), so naturally that’s always been my go-to Identity and Access Management (IAM) technology base.  However, for many there is no appetite to go on that journey any more – as great as that platform still is, it’s a pity it goes into Extended Support in 2021.

While MIM-like functionality has been progressively evolving in recent years, and very rapidly so in the last few months I might add, equally MIM has been “getting back to the basics” of what it has always done best:

  • Some MIM components such as BHOLD have been deprecated in favour of evolving AAD IGA alternatives;
  • Other MIM components such as MIM Reporting with SCSM have simply never been widely used, with superior on prem and cloud hosted options now available;
  • MIM Sync is now the “support act” to a more holistic Azure-hosted IAM and IGA approach for Enterprise Identity that also incorporates B2B; and
  • With B2C completing the picture for Consumer Identity, AAD is quickly becoming the complete Identity platform.

But yes there are glitches in the AAD “matrix”, or gaps rather, and you might be thinking there’s only MIM left to fill them.

So – those who know me may be surprised I am now saying no, you don’t have to use MIM!  If you’d rather something perhaps cloud-hosted (not that it has to be) that not only handles Alexander’s last post topic (reach back to on prem), but also

  • On premises B2B identity provisioning;
  • App provisioning for apps which don’t have a SCIM API; and
  • HR Provisioning for HR systems other than Workday or SAP Success Factors.

What exactly are these ‘gaps’ again?

There are still some clear gaps feature-wise, and some of these will persist for some time to come:

  • HR provisioning only supports Workday, with SAP SF and Oracle HCM presently in Preview, and obviously more to come
  • App provisioning only supports ServiceNow, Salesforce, Box and one other, but this is extensible for applications that support SCIM
  • IGA for entitlements management with access reviews, with policy to govern both employees and externals (B2B), but no support for advanced features such as SoD, and no native support for on-prem (AD)

So what do I do about them today?

UNIFYBroker technology from UNIFY Solutions is allowing customers to embrace the new AAD feature set NOW, without waiting for the full native feature set to arrive:

  • Where their HR platform is not one of the 3 supported AAD HR-provisioning platforms, UNIFYAssure (hosted) and UNIFYBroker (on prem) provide a complementary capability, with or without the need for MIM;
  • Where a downstream application or service has no built-in SCIM API, but provides some degree of interoperability, UNIFYConnect (hosted) or UNIFYBroker (on prem) can proxy this API to enable this feature on behalf of the app;
  • Where AAD Access Packages provide IGA features for AAD Groups and B2B users, neither of which are not synchronised to AD on prem, UNIFYConnect (hosted) or UNIFYBroker (on prem) can provide this capability, with or without the need for MIM.  When used with the AAD Application Proxy capability, authorised B2B users who are synchronised to on-prem (the MIM B2B lifecycle management scenario but without the need for MIM) can authenticate to on-prem-hosted IIS applications using their company AAD credentials; and finally
  • There’s also the question of how to assign birthright permissions … for now see this approach which can easily be integrated into the IAM lifecycle rules (thanks Marius Solbakken).

A footnote about ESB

The role of an Enterprise Service Bus (ESB) continues to grow in popularity in securing the use of external APIs, and for good reason.  However, this can present some challenges in the Identity space.

Organisations are looking to provide a single control plane for providing application integration where 3rd party APIs are involved, including a consistent and complete approach to auditing.  This trend is gaining momentum with the ever-increasing threat of cyber-attacks going undetected due to API access occurring via compromised service account credentials.

However some organisations are stumbling over Identity, which presents unique problems and use cases when compared to other datasets, especially where identity synchronisation is required.

Whether using MIM or another IAM platform such as AAD for HR and/or App Provisioning, by implementing IAM lifecycle integration (joiners/movers/leavers) with UNIFYConnect (hosted) or UNIFYBroker(on prem), ESB integration for updates can be complemented with native integration for non-transactional read operations which are critical for synchronisation state enforcement in these IAM platforms.

It’s definitely a rapidly evolving Identity landscape right now, and I expect I will be sharing more about the above when I next come up for air.  In the meantime please stay safe, and thanks for your interest.

 

 

Posted in Access Governance, Azure Active Directory, Azure AD Connect Sync, MIM (Microsoft Identity Manager) 2016 | Tagged , , | Leave a comment

Problems registering SQL2016 PSSnapin for #MIM2016 PS workflow activity

I’ve been using SQLPS as part of a script developed by my colleague Carol which needs to be invoked both interactively and also from a MIM workflow activity.  I ran into problems this week trying to use the SQL2016 feature pack.

I simply figured I should be using the latest platform for my Win2016 MIM platform so didn’t hesitate to install it in preference to the last one I used.  The script worked fine with the Import-Module approach when run interactively, but drops into the add-pssnapin sqlserverprovidersnapin120 alternative when this fails when invoked by the MIM service (due to a known .Net version compatibility issue –  and by the way, 130 corresponds to SQL2016):

try {Import-Module "sqlps" -DisableNameChecking}
catch
{
    if(@(get-pssnapin | where-object {$_.Name -eq “sqlserverprovidersnapin130”} ).count -eq 0) {add-pssnapin sqlserverprovidersnapin130}
    if(@(get-pssnapin | where-object {$_.Name -eq “sqlservercmdletsnapin130”} ).count -eq 0) {add-pssnapin sqlservercmdletsnapin130}
}

The second add-pssnapin call above was failing with a “this assembly is built by a runtime newer than the currently loaded runtime” exception … and so I rolled back to SQL2014 (120) and it worked like a charm:

try {Import-Module "sqlps" -DisableNameChecking}
catch
{
if(@(get-pssnapin | where-object {$_.Name -eq “sqlserverprovidersnapin120”} ).count -eq 0) {add-pssnapin sqlserverprovidersnapin120}
if(@(get-pssnapin | where-object {$_.Name -eq “sqlservercmdletsnapin120”} ).count -eq 0) {add-pssnapin sqlservercmdletsnapin120}
}

So obviously something is changing in this space for this not to work … but until I have an alternative that works for SQL2016 you may want to roll back to SQL2014 like me.

For future reference, the following registration steps were necessary after the SQL2014 feature pack install.

  • download and install (as admin) each of the following from the download collection:
    • SQLSysClrTypes.msi
    • SharedManagementObjects.msi
    • PowerShellTools.msi
  • run the following to register the DLLs (I ran this as a script saved locally to the SQLPS program files folder):
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")           
$publish = New-Object System.EnterpriseServices.Internal.Publish           
$publish.GacInstall(“Microsoft.SqlServer.Management.PSProvider.dll”) | Out-String
$publish.GacInstall(“Microsoft.SqlServer.Management.PSSnapins.dll”) | Out-String

Set-Alias installutil C:\windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
installutil -i "C:\Program Files\Microsoft SQL Server\120\Tools\PowerShell\Modules\SQLPS\Microsoft.SqlServer.Management.PSProvider.dll"
installutil -i "C:\Program Files\Microsoft SQL Server\120\Tools\PowerShell\Modules\SQLPS\Microsoft.SqlServer.Management.PSSnapins.dll"
Get-PSSnapin -Registered
Posted in MIM (Microsoft Identity Manager) 2016 | Leave a comment

Simple business case for #MIM2016 SSPR

It occurs to me that perhaps we don’t always do due diligence when it comes to establishing a credible business case for IAM intiatives, and this only comes back to bite us later.  One of the easiest metrics is the number of AD Admin password resets to justify a MIM 2016 SSPR (self service password rese) investment, and if we take the recommendation of this blog post, then this is as simple as applying a Windows Event Log filter on each of your AD DCs.

I’ve set this up on one of my DCs and exported it here for you to try yourself – just save to an XML file and import it from an MMC snapin (Event Viewer console):

<ViewerConfig>
 <QueryConfig>
 <QueryParams>
 <Simple>
 <Channel>Application,Security</Channel>
 <EventId>4724,627,628,4723</EventId>
 <RelativeTimeInfo>0</RelativeTimeInfo>
 <BySource>False</BySource>
 </Simple>
 </QueryParams>
 <QueryNode>
 <Name>Admin Password Resets</Name>
 <Description>Events 4724 and 627, 628, 4723</Description>
 <QueryList>
 <Query Id="0" Path="Application">
 <Select Path="Application">*[System[(EventID=4724 or EventID=627 or EventID=628 or EventID=4723)]]</Select>
 <Select Path="Security">*[System[(EventID=4724 or EventID=627 or EventID=628 or EventID=4723)]]</Select>
 </Query>
 </QueryList>
 </QueryNode>
 </QueryConfig>
 <ResultsConfig>
 <Columns>
 <Column Name="Level" Type="System.String" Path="Event/System/Level" Visible="">100</Column>
 <Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column>
 <Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">150</Column>
 <Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" Visible="">60</Column>
 <Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">60</Column>
 <Column Name="Task Category" Type="System.String" Path="Event/System/Task" Visible="">60</Column>
 <Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column>
 <Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column>
 <Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column>
 <Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column>
 <Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column>
 <Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column>
 <Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column>
 <Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column>
 <Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column>
 <Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column>
 <Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column>
 <Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column>
 <Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column>
 <Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column>
 </Columns>
 </ResultsConfig>
</ViewerConfig>

Of course if you have plenty of DCs you won’t want to be doing this on a constant basis – so you will want to run this on a schedule say via PowerShell and collate the data in some way – perhaps PowerBI?

Anyhow, if you take the time to look at the facts that come out of a simple query like the above, then you can provide some factual evidence to substantiate your MIM SSPR investment.

Posted in Active Directory, MIM (Microsoft Identity Manager) 2016, SSPR | Tagged , , | Leave a comment

Simple #MIM2016 Reporting in PowerShell

As a veteran MIM implementer now, I can’t help being constantly impressed with how much Ryan Newington‘s work on his Lithnet Github site has changed the landscape for those of us continually faced with the task of extracting data from the various product databases.  The landing page doesn’t show all of the repositories either …

I simply want to give those of you who may not have used these yourself a simple example of how to do something you’ve always done in the past another way – e.g. CTRL+C from the Sync console’s Metaverse search results, or (heaven forbid) a query on one of the SQL databases.

Oh – and if you’re still on FIM2010 R1, then here’s another great reason to upgrade to MIM 2016!

Sample MV query to CSV

In the following example which uses the Lithnet PowerShell Module for FIM/MIM Synchronization Service, I am trying to mimic 2 variants on a Metaverse search in PowerShell for exceptions in across all active staff identities – in my case where the desired UPN suffix (Exchange multi mail/upn suffix scenario) did not match that present in AD, either because

  • there was no authoritative value at all (excluding a set of known exceptions), or
  • there was a value but it was incorrect.

The report is designed to be run BEFORE turning on a persistent EAF on UPN to allow MIM to master this property (up until then it was initial flow only).

The key observation to make should be how closely the script mirrors the process of setting up a corresponding MV query in the console.  I am using 2 separate reports only because this is exactly the way it has to be done in the console – obviously you could combine these if you wanted.

Import-Module LithnetMiisAutomation

$filePath = "D:\Logs\MismatchingUpnSuffixes.csv"
$missingOnly = $false

$mvQueries = @(
 New-MVQuery -Attribute PersonType -Operator Equals -Value "Staff"
 New-MVQuery -Attribute employeeStatus -Operator Equals -Value "active"
)
if ($missingOnly) {
 $filePath = "D:\Logs\MissingUpnSuffixes.csv"
 $mvQueries += New-MVQuery -Attribute UpnSuffix -Operator IsNotPresent
 $mvQueries += New-MVQuery -Attribute LegacyEmployeeID -Operator NotContains "B"
} else {
 $mvQueries += New-MVQuery -Attribute UpnSuffix -Operator IsPresent
}

$mvQueryResult = Get-MVObject -ObjectType Person -Queries $mvQueries
if ($missingOnly) {
 $exceptions = $mvQueryResult
} else {
 $exceptions = $mvQueryResult | Where-Object {$_.Attributes.uid.Values.ValueString -notlike "*$($_.Attributes.csoUpnSuffix.Values.ValueString)"}
}
$users = @{}
foreach ($exception in $exceptions) {
 $obj = [PSCustomObject]@{
 accountName = $exception.Attributes.accountName.Values.ValueString
 displayName = $exception.Attributes.displayName.Values.ValueString
 uid = $exception.Attributes.uid.Values.ValueString
 UpnSuffix = $exception.Attributes.UpnSuffix.Values.ValueString
 employeeID = $exception.Attributes.employeeID.Values.ValueString
 LegacyEmployeeID = $exception.Attributes.LegacyEmployeeID.Values.ValueString
 }
 $users.Add($exception.ID,$obj)
}

if (Test-Path -path $filePath) 
{ 
 Remove-Item -Force $filePath | Out-Null
}

foreach ($userKey in $users.Keys) {
 $users.$userKey | Select-Object * | Export-Csv $filePath –NoTypeInformation -Append
}

Sample MIM Service query to update a static set

The second query is against the MIM Service using the Lithnet FIM/MIM Service PowerShell Module, but instead of outputting a CSV, I am updating the membership of a static set to trigger an MPR to reprocess some entitlements (custom MIM resource linking a person to a role for a date range).  This was to allow me to fix some data retrospectively after having changed the policy – in this case updating the entitlement description with the new display name of a user after a name change.

A key observation here is that only the attributes I need are being returned from tens of thousands of query results – optimising all sorts of things including memory consumption and processing time (doing the same thing using the traditional “add-pssnapin FIMAutomation” approach had to be canned after taking many hours to almost exhaust system resources).

# Import the module
cls
Import-Module LithnetRMA;
Get-Date

# Connect to the FIM service instance
Set-ResourceManagementClient -BaseAddress http://localhost:5725;

# Retrieve the set we need to update
$set = Search-Resources -XPath "/Set[DisplayName = 'All entitlements to fix']" -ExpectedObjectType Set #-AttributesToGet @("ComputedMember", "ExplicitMember")

# Initialise our set Explicit Membership (without committing it)
$set.ExplicitMember.Clear()

# Get current entitlements (only DisplayName, Description and UserID)
[string]$from_date = get-date -Format "yyyy-MM-ddTHH:mm:ss"
$entitlements = Search-Resources -XPath "/Entitlement[(UserID=/Person)]" -AttributesToGet @("DisplayName","Description","UserID")
Write-Host "Total matched entitlements: [$($entitlements.Count)]"

# Initialise our hashtable of Users to be queried
$users = @{}
foreach($entitlement in $entitlements) {
 # Add user to users hashtable if we don't already have it
 $key = $entitlement.UserID.Value
 if (!$users.ContainsKey($key)) {
 $user = Get-Resource -ObjectType Person -AttributeName "ObjectID" -AttributeValue $key -AttributesToGet @("DisplayName","AccountName")
 if ($user.DisplayName -and $user.AccountName) {
 $users.Add($key,@{})
 $users."$key".Add("DisplayName",$user.DisplayName)
 $users."$key".Add("AccountName",$user.AccountName)
 } else {
 Write-Host "Error: User cannot be determined for entitlement [$($entitlement.DisplayName)] description [$($entitlement.Description)]!"
 }
 }
 $thisUser = $users."$key"
 if ($entitlement.Description -notlike "*$($thisUser.DisplayName)*") {
 Write-Host "Entitlement [$($entitlement.DisplayName)] description [$($entitlement.Description)] does not contain user displayname [$($thisUser.DisplayName)]"
 $set.ExplicitMember.Add($entitlement.ObjectID) | Out-Null
 }
}
Write-Host "Total user entitlements to fix: [$($set.ExplicitMember.Count)]"

# Update the set
Save-Resource $set
Get-Date

So kudos, Ryan!  Just 2 examples of things that can either be done better, quicker, and actually work where they couldn’t easily before (not without going to the SQL layer as a last resort)!

Posted in FIM (ForeFront Identity Manager) 2010, MIM (Microsoft Identity Manager) 2016, Uncategorized | Tagged , , | Leave a comment

Upgrading #FIM2010 (not R2) to #MIM2016

Some time ago former FIM MVP Thomas Vuylsteke blogged this really helpful post on the above subject.  I figure my customer isn’t the only one stuck in a pre-R2 limbo as we barrel towards the October 2017 FIM 2010 EOL deadline.

Seven months earlier I alerted colleagues to a number of pitfalls that I had encountered in the upgrade process, and with the forthcoming EOL for all things FIM 2010 I thought now is as good a time as any to remind everyone about these.

  1. Considerations for Upgrading to FIM 2010 R2
  2. FIM 2010 R2 Search Changes – change in the support for the “contains” operator – see also Carol’s post on the same topic;
  3. FIM 2010 R2 Schema and Object Visualization Configuration Changes – New schema elements in FIM 2010 R2;
  4. Composite query filter returns no results for explicit guid – 2 queries same result prior to R2, then different results ; and
  5. One cannot do an in-place upgrade if the FIM Service was originally installed from MSDN media. (Listed as a known issue on the upgrade instructions, but as a footnote so easy to miss.)

Also, even if your site is already on FIM R2, remember that when considering an in-situ upgrade that you may not be doing anyone any favours by remaining on an old platform (e.g. Win 2008), in which case the process outlined by Thomas above is definitely the way to go.  With MIM 2016 supporting so many platform versions, it may be tempting to linger just a bit too long where you don’t really want to be.

If anyone else has something to throw into the mix feel free to comment on this post for the benefit of everyone else.

Happy upgrades!

Posted in FIM (ForeFront Identity Manager) 2010, Uncategorized | Tagged , | Leave a comment

Active Directory is NOT an IdM Technology (without #MIM2016 or similar)

It continues to frustrate me that publications such as this recent white paper from the Microsoft EMS (Enterprise Mobility and Security) team still underplay the need for organisations to get their on-premises identity management under control before turning on AAD Connect.  Statements like the following:

  • “… our organizations have long used on-premises identity management technologies such as Microsoft Active Directory”
  • ” Your users’ identities can still come from your own directory service—you’re still in control …”

seem to imply that of course you control your own AD today.  Last I heard AD was an identity technology, but an identity management technology???  Can anyone really be in control of their on-premises directory service without some form of identity life-cycle management in place beyond the ADUC console itself?

Fellow Adelaide MVP Adam Fowler pointed me at a product called Softerra Adaxes, and explained how he is using this to centralise his business rules for managing identity lifecycles – but directly to AD via a nifty browser-hosted web application.  This adds the missing “smarts” (as he likes to call them) that are missing natively from the AD platform.  On a small scale, with only a few hundred employees, Adam is able to ensure that only people in his organisation with current access entitlements are able to authenticate to his systems, and securely access resources on his company’s network.  I would still like to see him wire up his company’s HR system as a source of truth (SoT) for not only employee identity data, but also joiner/mover/leaver events.  That said, the checks and balances he puts in place enforce ongoing compliance, if not quite the continuous compliance I can achieve with say a MIM2016 implementation.  If only every SMB had someone like Adam taking care of things – but what of the rest?

In my role as IAM solution architect and implementer over the last decade, working predominantly with Microsoft Identity Manager (and its various predecessors), I have come to appreciate that what we now refer to as “on-premises” IAM solutions are starting to lose their appeal.  Yet don’t be fooled!  Just because you might choose to run your IAM platform either wholly or in part from a cloud platform such as OKTA or SailPoint, the Microsoft “Hybrid Identity” model (supported by AAD Connect) is still very much dependent on the integrity being enforced first and foremost in your on-premises directory, which for the most part continues to be Microsoft AD.

You may have heard about HR-driven identity management in Azure with WorkDay, whereby AAD accounts are provisioned directly from a WorkDay feed.  But what you might not know is that this does not work in a hybrid scenario – whereby a “thin agent” is required to provision to the on-premises AD first, from where AAD Connect kicks in and provisions to AAD.  This remains the ONLY supported hybrid model today for not only WorkDay but every HR-driven scenario … you have to manage the on-premises directory first.

For all those organisations who have invested in an on-premises IDM solution, announcements like the Azure AD and SailPoint collaboration this week should only reinforce how fortuitous it is that you are now in a position to reap the rewards of doing so. Some might try to tell you that you are now being left behind on a legacy platform, but why “throw out the baby with the bathwater”?  With Microsoft’s investment in what happens downstream of your AD (either directly or via AAD Connect when via the cloud), you can continue leverage your existing investment that puts you “in control of your own directory services”.  The only thing you now should consider is whether or not to extend that platform in a downstream sense to do something that now makes more sense in the cloud.

For those organisations which have NOT yet made such an investment, you are now in a better position than ever to make up on lost ground:

  • Microsoft now grants free use of the MIM2016 synchronisation service with a Windows Server platform license, reducing the capital outlay on a traditional on-premises solution for the larger more complex enterprises who want to leverage what remains Microsoft’s endorsed on-premises IAM platform;
  • UNIFY provides an SaaS option for the SMBs who want to harness the power of an enterprise grade solution for a fraction of the cost, or instead you may want to consider the Adaxes style approach; and
  • OKTA, SailPoint and others provide complete IAM lifecycle solutions hosted in the cloud.
Posted in Active Directory, Azure Active Directory, MIM (Microsoft Identity Manager) 2016 | 2 Comments

Your #MIM2016 or #FIM2010 Starter Pack

With all the excitement this week of the announcement of the Azure AD and SailPoint collaboration, it got me thinking about how the Microsoft IAM landscape is continuing to evolve both on premises and in the Microsoft cloud.  The message has always been very clear – use MIM for traditional identity life-cycle provisioning (joiners) and sync (movers/leavers) to AD, and use AAD Connect as the identity bridge between AD and your AAD tenant.  Nothing has really changed in this specific regard – rather we now have some significant post-account provisioning technology to leverage for access management, which to be fair has been rather lacking for some time.

For me this is a god-send for those who might still be looking for business justification to invest in an IdM solution based on MIM 2016, typically driving identity life-cycle from a suitable authoritative source such as a modern HR system (one that is always up to date and a great source of change events).  Why?  Because unless you’re reeling in the wake of a security breach and have no choice but to attain compliance over your identity store, the benefits in terms of $$$ savings through improvements in identity provisioning efficiency often don’t seem to resonate loud enough with those holding the corporate purse strings.  However, when you combine this with features such as Azure Advanced Threat Analytics, automated AAD provisioning to cloud apps such as Salesforce, and now advanced identity governance across your on-premises and cloud resources with SailPoint, the value-add of a sound MIM 2016 platform starts to shine through.

So with this in mind, I expect more people without any MIM or FIM experience will be turning their attention to what they can do right now to leverage the rapidly growing list of benefits, and for my money this has always been a simple HR-driven Synchronization solution for joiners, movers and leavers.  Get this right and everything else flows on from this.

So I guess most people would start with the following MS links:

… but where would they go from here?

Given that’s not so clear, I thought I would share my own quick Starter Pack for people new to this piece of Microsoft kit which has been part of the fold since basically the beginning of the millennium.  Hope you find this one as useful as others have done.  Although references are mostly to FIM 2010, they apply equally to MIM 2016 (or ILM and MIIS before that).

Since putting this together I’ve become aware of this WIKI article on the same subject, but I wanted to share my own list nonetheless.  Let me know in the comments if you feel I have left out anything significant.  At some stage I will probably remove the section below and update the WIKI, but for now, enjoy.


 

 

Synchronization in Forefront Identity Manager 2010

fimsync

This is a VERY short introductory online video – 3 minutes 44 seconds

“About This Video: The ability to manage distributed identity information from a central point is key component of the Microsoft Forefront Identity Manager (FIM) 2010 architecture. This process is governed by a well-defined and customizable set of synchronization rules. This video introduces you to the central concepts of inbound and outbound synchronization in FIM.”

For more information see

Note: the second 2 topics are linked from the first.

 

Run Profiles in FIM 2010 R2

This is a short technical article on a fundamental concept our solution uses continually every 2 hourly sync cycle.

 

“Run profiles specify the parameters with which a management agent is run in Microsoft® Forefront® Identity Manager (FIM) 2010 R2. You can create one or multiple run profiles for a management agent. Further, each profile consists of one or more steps. By combining steps in a profile, you can more accurately control how your data is processed.”

 

 

FIM “Ramp Up” training – Implementing Forefront Identity Manager 2010

This is an archive old FIM 2010 training material, some of which is no longer available.  At one stage there was a Microsoft TechNet online resource comprising 3 modules that are essential understanding any synchronization solution.  While it has been mostly superseded, I still find this material very useful.
Note: – the first module is only 1 hour and should be watched only after watching the above video and reading the above 3 articles.

“This course introduces and explains the features and capabilities of Microsoft Forefront Identity Manager 2010 (FIM), and provides an overview of the solution scenarios that FIM addresses. The course format includes presentation, discussion, demonstration, and many hands-on exercises. It is intended for students who have no previous Forefront Identity Manager 2010 or Microsoft Identity Lifecycle Manager 2007 (ILM) experience.

After completing this course, students will be able to:
· Understand FIM concepts and components.
· Identify appropriate FIM scenarios.
· Manage users, groups, and passwords using FIM.
· Synchronize identity data across systems, such as Active Directory and HR.
· Understand the issues involved in loading data (initial load, backup, and disaster recovery).
· Configure security for different levels of user.
· Manage password self-service reset and synchronization.
· Automate run cycles.
· Handle sets, simple workflows, and management policy rules (MPRs).”

Although the virtual labs are not available for modules #1 or #2, the article (PDF) and video (WMV) can still be downloaded and should be watched/followed to achieve the level of understanding you will need.

 

Test Lab Guide: Installing Forefront Identity Manager 2010 Synchronization Service

This guide contains instructions for setting up the Forefront Identity Manager 2010 Synchronization Service in a test lab based one new server computer, two preexisting server computers, and one preexisting client computer. The resulting Forefront Identity Manager 2010 Synchronization Service test lab demonstrates and verifies installation. This test lab guide is a smaller modified version of the Forefront Identity Manager 2010 test lab guide. This test lab guide is being provided for situations where a full installation of Forefront Identity Manager 2010 is not required. This test lab guide does not cover installing the Forefront Identity Manager 2010 portal or any of the features that require a full installation of Forefront Identity Manager 2010. This guide should only be used when only the Forefront Identity Manager 2010 Synchronization Service is required.

Other Reading

 

Posted in FIM (ForeFront Identity Manager) 2010, ILM (Identity Lifecycle Manager) 2007, MIM (Microsoft Identity Manager) 2016, Uncategorized | Leave a comment