Includes latest changes in MIM 2016 Service Pack 2 and updated guidance on deprecated features
Five years on, many organizations are still using FIM and continue to come to Oxford Computer Training for help with MIM upgrades – from our MIM training courses at Foundation, Advanced and Expert level to our new TrainingPlus service which offers packages of training plus ongoing mentoring and support at discounted rates.
As there have been some important changes since I wrote my popular FIM to MIM users’ guide in 2017, I have updated it here, referencing changes in Service Pack 2 (SP2) as well as updated guidance on deprecated features.
Most organizations want to be using software which is supported by the manufacturer, and therefore having an eye on the limits of support is important:
- FIM 2010 SP2 is supported until 11th October 2022 (learn more).
- MIM 2016 SP2 is supported until 9th January 2029 (learn more).
- For customers using Azure AD Premium, specific Azure-related support is also available (learn more).
- For those users still using SharePoint Server 2010 underneath the FIM Portal, support for this expires on 13 April 2021 (learn more).
- SharePoint Foundation 2013 support expires on the 11 April 2023 (learn more).
The minimum supported starting version for the upgrade directly to MIM 2016 SP2 is FIM R2 SP1, build 4.1.3419.0. If you have not yet reached this patch level in FIM, you will need to update before the upgrade to MIM – and, by the way, you should patch anyway!
With the original version of MIM 2016 SP2, build 220.127.116.11, some customers experienced problems with their SharePoint-based MIM Portals after installing a SharePoint update in September 2020, and so we were advising upgrades to SP2 only with some caution. These problems have been fixed in the latest hotfix 4.6.359.0 (here), which is therefore highly recommended.
Microsoft has a focus on protecting customers’ investments: the FIM solutions deployed must continue to work. Thus, continuity is an important theme.
Microsoft has published an updated list of FIM features which are deprecated (i.e. which will not be supported in a future version of the product) here. This is an update to the original list from 2017.
The only deprecated features that have been removed in practice are a handful of obsolete Management Agents (Notes, SAP R/3 and FIM CM) which have new, modern alternatives in SP2 (see below). The exception is the Management Agent, which offers integration for FIM Certificate Management (CM) and which has no replacement. If you are using these agents, you will need to plan the implementation of a replacement MA, if available, or (for CM) a different approach to propagate lifecycle triggers to the CM components (via Workflows, for example). Apart from this, our experience is that the upgrade to MIM 2016 from FIM 2010 R2 does not cause any significant problems with existing implementations.
Of course, we should not neglect to mention the Cloud. Microsoft is famously committed to a cloud-first strategy, and the Microsoft’s capability in the cloud is a leading one (see here). The identity synchronization features both in the Azure AD Connect (on premises) product, as well as in the Azure AD Cloud Connect capability, are familiar to those who use FIM and MIM, providing a clear path to the future for those who wish to move some or all identity management capabilities to the cloud. On-premises systems are going to remain a fact of life for many organizations for a while to come, so the capability to manage identities and access for those systems remains a critical one, and MIM components (and related capabilities from Microsoft) provide essential services for this activity.
A seemingly trivial change is that Microsoft is moving away from the term “Management Agent”, and starting to use “Connector” to refer to the data transfer components of the synchronization service. Those of you familiar with the technical details of FIM will appreciate that there is already the concept of a “Connector” in FIM (and MIM), namely an object in a connector space which is connected to a metaverse object. This ambiguity will not really be a problem (the context should make the meaning clear) but care should be taken when using the term “connector”. The main reason, however, that I mention this here is that if you are searching for content concerning Management Agents for MIM, you will need to search for “MIM Connectors”.
As mentioned above, the connectors for SAP R/3 (BAPI-based) and Lotus Notes (v6.5 and 7) are no longer available. They have been replaced by the Web Services-based SAP connector and the Lotus Domino connectors which are fully supported by Microsoft. For more information on the connectors available in MIM, see this link. (It is worth noting that these connectors are regularly updated, most recently on 11 November 2020, and this link will help you stay up to date).
MIM 2016 SP2 is an in-place upgrade to FIM 2010 R2 SP1, provided you have the slipstreamed installation media for MIM 2016 SP2 (i.e. the full MIM product with SP2 already integrated into it). This in-place capability eases the upgrade process, although, of course, the usual precautions for testing and possible rollback will need to be taken. Note that the client components (password reset client, certificate management client) will need re-installation on upgrade from FIM to MIM. Given the need to test a new configuration in any case, it is also a good time to plan the move away from any deprecated or unsupported features which you may have carried over from a FIM (or even ILM) implementation.
The licensing of the MIM components is the same as for FIM – as of April 2015, the licence for FIM Server Components has been included in the Windows Server licence (Standard and Datacenter), which means that there is no additional charge for deploying FIM or MIM servers. This can represent a significant saving. Client Access Licences are still required for solutions which contain more than synchronization (be it portal, password reset, certificate management and/or RBAC activity), and these are available as a specific SKU, or bundled with various Cloudy licences such as Azure Active Directory Premium (AADP) and Enterprise Mobility + Security (EMS). For FIM users without Software Assurance, therefore, it is worth looking at the AADP and EMS licences before simply purchasing new MIM licences – Oxford Computer Group and Oxford Computer Training are, of course, happy to advise customers about such potential solutions! (Read about MIM licensing here.)
Support for the MIM portal running on SharePoint 2019 arrived with MIM 2016 SP2. There is no licence-free version of SharePoint 2019, so you will need such licences if you wish to run MIM portal on the newest SharePoint platform. If you don’t want to purchase licences for SP2019, SharePoint Foundation 2013 is still supported, although the implementation on modern server platforms is tricky. For a MIM portal replacement which does not use SharePoint components at all (and therefore saves the SharePoint implementation and licensing costs) you might be interested in IdentityDirector (www.identitydirector.com), from our colleagues at Oxford Computer Group in Austria.
Browser and Platform Support
The release of MIM 2016 SP1 brought much-needed support for modern platforms, and this commitment to support the latest platforms continues with SP2. Browser support is extended compared with FIM, so that not only Internet Explorer is supported. With MIM 2016 SP2, the portal is also supported on Edge, Chrome and Safari, opening usage scenarios based on non-Windows devices (although it is worth mentioning that Oxford Computer Group Germany has had a pure HTML5, cross-platform portal for FIM/MIM for some time – PDF here, in German).
Microsoft has also added support for modern server and client platforms. For example, MIM 2016 SP2 is supported on Windows Server 2019, as well as using SQL Server 2019 and Exchange Server 2017, System Center Service Manager 2019 (for reporting). There is also a Certificate Management client for Windows 8.1 and Windows 10 devices which supports Virtual Smartcards.
As noted above, the MIM 2016 SP2 portal is supported on SharePoint 2019.
With SP2 we are able to use group managed service accounts for the core MIM services for the first time, as well as the web sites underlying the three portals (MIM Portal, SSPR Registration and SSPR Reset). In addition, we now have the option to install in an environment where only TLS 1.2 is permitted.
Privileged Access Management
Many documented attacks on corporate networks have been shown to have used stolen admin credentials to create backdoors, which are then used to steal data over a long period of time.
In response to this threat, Microsoft invested in a new set of features on the MIM platform, Privileged Access Management, which involves building a highly protected administrative forest (an Enhanced Security Admin Environment, or ESEA) in which all admin activity takes place, away from the (probably) infected corporate forest. The primary motivation here is to minimise the ability of an attacker to access the (cached) credentials of an administrator (by partitioning the admins into a separate secure forest), and to minimise the time in which the users themselves are administrators. MIM SP2 does not make significant changes to the PAM functionality, and Oxford Computer Training offers a one-day PAM training course – see the course outline here – and has experience in implementing PAM, so don’t hesitate to contact us for guidance before and during a PAM implementation.
It is worth pointing out the updated guidance from Microsoft on the use of an ESEA, which refers to the high cost of such an environment, and makes it clear that there are better ways of providing similar security benefits at a lower cost. They go on to say that they themselves still use the ESEA architecture, so it is not completely obsolete – you just have to be aware of the cost/benefit calculation which applies to your environment. More about this updated guidance here.
Oxford Computer Training offers a one-day PAM training course – see the course outline here – and has experience in implementing PAM. And, through our TrainingPlus programme we can offer a package of training and guidance before and during a PAM implementation.
Microsoft is continuing to invest in MIM as a general platform for the implementation of custom solutions. FIM 2010 delivered a portal solution based on a web service – and Oxford Computer Group has developed both complementary and replacement solutions based on this web service (for example, our customised MIM Portal, and our identity solutions for mobile phones). MIM delivers even more web services to enhance our ability to build solutions:
- Web Service for Certificate Management
- Web Service for Privileged Access Management
These are REST web services which allow developers to integrate identity and access processes into their solutions.
MIM 2016 SP2 conserves your investment in FIM solutions, while offering new functionality to address emerging challenges.
Oxford Computer Training offers technical training on MIM, Azure and other identity-related technologies and topics – see courses.
Our sister companies in Oxford Computer Group offer full implementation services but our customers frequently come back to us for help with smaller issues, ad hoc questions, and mentoring staff. This led us to develop our popular new TrainingPlus service which offers a choice of packages comprising training plus ongoing ad-hoc mentoring and support at discounted rates.
- For deprecated FIM features go here.
- For available MIM connectors go here.
- For more about licensing go here – sadly this is slightly old and contains broken links, but it is the best summary of licensing of FIM and MIM from Microsoft currently available!
- Finally, be sure to read my very popular blog Microsoft Identity Manager – MIM – 2016 Service Pack 1.