What is the difference between MIM and Microsoft Entra Connect?
Microsoft Entra Connect is based on Microsoft Identity Manager (MIM) and they share a great deal of code, UI, and behavior. So how are they different?
The primary component (and what people often mean when they say “Microsoft Entra Connect (formerly Azure AD Connect)”) is Microsoft Entra Connect Sync. The primary component of MIM is the synchronization service.
These two – though they differ somewhat in architecture – are functionally very similar, and most of what can be done in MIM can be done in Microsoft Entra Connect.
The primary purpose of Microsoft Entra Connect Sync is to enable a hybrid identity scenario – where identities are represented both on-premises and in the cloud (specifically Entra ID) – and it is optimized for this purpose through the presence of wizard-based configuration. Whereas MIM is a more general purpose, flexible, and extensible identity synchronization solution (which could replicate the scenario enabled by Microsoft Entra Connect Sync, but requiring greater effort).
So, Microsoft Entra Connect is designed as a wizard-driven tool to meet the requirements of specific scenarios. That will take a little more explaining – but before we do that let’s exclude some features entirely from our discussion.
Present in MIM but not Microsoft Entra Connect:
- A portal for managing users and groups, running workflows, and providing self-service features (group management, white pages, password reset, etc)
- MIM certificate management
- The ability to receive passwords from AD and send them to other systems (using PCNS)
Present in Microsoft Entra Connect but not MIM:
- Authentication services either through federation or its pass-through authentication agent
- The ability to receive Microsoft Entra ID password changes and feed them to AD
- The ability to flow AD password hashes to Azure AD
- The Rules Editor application
Comparing the sync services
MIM is designed as a generic tool for synchronizing sources of identity data (users, groups, etc.) It is highly flexible but does almost nothing out of the box. It requires a lot of configuration to make it do anything useful, and generally code as well. It is very powerful – in the right hands!
Microsoft Entra Connect is based on MIM, looks a lot like MIM, behaves under the covers a lot like MIM, but is configured in an entirely different way. Much of it can be configured via a wizard, and most of the rest is configured using a rules editor and rules that are quite different from anything you might see in MIM. No code is required (or even possible). It is powerful and capable right out of the wizard. Beyond that, it would be wrong to suggest that configuration is easy, but does not require programming.
Both are capable of importing/exporting identity data from/to just about any data source – but Microsoft Entra Connect has been designed to connect to all your AD forests, and your (single) Entra ID tenant – and anything else is not supported.
It is thus the case that many organizations have both MIM and Microsoft Entra Connect. A very typical usage is for MIM to import identity data from sources of truth such as HR systems, and export it to AD, while Microsoft Entra Connect synchronizes that data with Microsoft Entra ID. It should be stressed that MIM can handle many more scenarios than this, involving many on-premises systems (and even cloud systems), synchronizing identity data as necessary.
For a longer discussion about the differences between MIM and Microsoft Entra Connect, see this recording of our very popular webinar: MIM and Azure AD Connect: Two Sides of the Same Coin? (note this was recorded before Microsoft rebranded Azure AD Connect to Microsoft Entra Connect).
Want to learn more about the differences between MIM and Microsoft Entra Connect? Our Microsoft Entra Connect Masterclass will teach you everything you need to know.
Need to learn MIM? We offer the world’s best and most comprehensive training courses.