FIM to MIM – a user’s guide
With Microsoft Identity Manager 2016 (MIM), Microsoft brings both continuity and innovation to their on-premises identity management platform. In this blog, I summarize the impact that MIM will have on existing users of FIM 2010, including the new features in Service Pack 1 for MIM.
Microsoft is focused on protecting customers’ investments: the FIM solutions already deployed must continue to work. Thus, continuity is an important theme.
Microsoft has published a list of FIM features – see further reading below – which are deprecated, i.e. which will not be supported in a future version of the product. No deprecated features have been removed in MIM 2016, and our experience is that the upgrade to MIM 2016 from FIM 2010 R2 does not cause any significant problems with existing implementations.
A seemingly trivial change is that Microsoft are moving away from the term “Management Agent”, and starting to use “Connector” to refer to the data transfer components of the synchronization service. Those of you familiar with the technical details of FIM will appreciate that there is already the concept of a “Connector” in FIM (and MIM), namely an object in a connector space which is connected to a metaverse object. This ambiguity will not really be a problem (the context should make the meaning clear) but care should be taken when using the term “connector”. The main reason, however, that I mention this here is that if you are searching for content concerning Management Agents for MIM, you will need to search for “MIM Connectors”.
Note that although the connectors for SAP R/3 (BAPI-based) and Lotus Notes (v6.5 and 7) are still available, they are no longer supported by Microsoft – the Web Services-based SAP connector and the Lotus Domino connectors replace the older versions, and are fully supported by Microsoft. For more information on the connectors available in MIM, see further reading below. (It is worth noting that these connectors are regularly updated, and this link will help you stay up to date).
MIM 2016 is an in-place upgrade to FIM 2010 R2, and is also a prerequisite for MIM 2016 SP1, which is therefore an in-place upgrade for MIM 2016. This in-place capability eases the upgrade process, although, of course, the usual precautions for testing and possible rollback will need to be taken. Note that the client components (password reset client, certificate management client) will need re-installation on upgrade from FIM to MIM. Given the needs of testing a new configuration in any case, it is also a good time to plan the move away from any deprecated or unsupported features which you may have carried over from a FIM (or even ILM) implementation.
Note that the licensing of the MIM components is the same as for FIM – as of April 2015, the licence for FIM Server Components has been included in the Windows Server licence (Standard and Datacenter), which means that there is no additional charge for deploying FIM or MIM servers. This can represent a significant saving. Client Access Licences are still required for solutions which contain more than synchronization (be it portal, password reset, certificate management and/or RBAC activity), and these are available as a specific SKU, or bundled with various Cloudy licences such as Azure Active Directory Premium (AADP) and Enterprise Mobility + Security (EMS). For FIM users without Software Assurance, therefore, it is worth looking at the AADP and EMS licences before simply purchasing new MIM licences – OCG is, of course, happy to advise customers about such potential solutions! (More about licensing, see further reading below.
With MIM 2016 SP1, support for the MIM portal running on SharePoint 2016 arrived – note that there is no licence-free version of SharePoint 2016, so you will need such licences if you wish to run MIM portal on the newest SharePoint platform (if you don’t want to purchase licences for SP2016, SharePoint Foundation 2013 is still supported).
Browser and Platform Support
Ever since Microsoft provided a portal solution, it has only been supported for Internet Explorer. With Service Pack 1 for MIM, this limitation is removed – the portal is supported on Chrome and Safari as well, opening usage scenarios based on non-Windows devices (although it is worth mentioning that OCG has had a pure HTML5, cross-platform portal for FIM/MIM for some time!).
Microsoft has also added support for modern server and client platforms: for example, MIM 2016 SP1 is supported on Windows Server 2016 as well as Windows Server 2012 R2 (in contrast to FIM 2010 R2), and there is a Certificate Management client for Windows 8.1 and Windows 10 devices which supports Virtual Smartcards.
As noted above, the MIM 2016 SP1 portal is supported on SharePoint 2016.
Privileged Access Management
Many documented attacks on corporate networks have been shown to have used stolen admin credentials to create backdoors, which are then used to steal data over a long period of time.
In response to this threat, Microsoft has invested in a new set of features on the MIM platform, Privileged Access Management.
The primary motivation here is to minimise the ability of an attacker to access the (cached) credentials of an administrator (by partitioning the admins into a separate secure forest) and to minimise the time in which the users themselves are administrators. This last point, summarised by the terms “Just-Enough-Admin” and “Just-In-Time Admin” involves pre-authorizing administrators for certain pre-defined administrative roles, and making sure that an admin’s user account has, by default, absolutely no administrative permissions. To allow the admins to do their job, the system allows the administrators to request a role on a limited-time basis when they actually need to use it. Each role can have a different Time-To-Live – so more security-sensitive roles can have a time limit measured in minutes, while other roles may be available for hours (a feature which is enhanced with Windows Server 2016, which uses the Expiring Links functionality to deliver Kerberos Tickets which have a TTL matching the remaining time of a group membership, if this is shorter than the default ticket lifetime). At the end of the validity, the role will automatically be removed from the user, and they lose their administrative permissions.
The PAM implementation involves planning the secure forest, discovering the privileged accounts and privileged permissions in the existing environment, and populating the new forest with secure accounts and roles to represent these existing accounts and permissions. MIM contains tools to support this discovery and population activity. Once implemented, PAM requires monitoring – there are monitoring tools to apply to the existing forest: for example, to check that the PAM-managed permissions are not assigned manually in the existing forest.
Service Pack 1 for MIM brings the capability to use PAM to manage the privileged accounts in the PAM Forest, as well as those in the existing environment. Note that while this “single forest” capability can be misused to install PAM in the corporate forest, such a configuration is not recommended, and would not deliver the security benefits expected from a PAM implementation.
OCG has training available for PAM – here – and has experience in implementing PAM, so don’t hesitate to contact us for guidance before and during a PAM implementation.
Microsoft is continuing to invest in the product as a general platform for the implementation of custom solutions. FIM 2010 delivers a portal solution based on a web service – and we at Oxford Computer Group have developed both complementary and replacement solutions based on this web service (for example, our customised FIM Portal, and our identity solutions for mobile phones). MIM delivers even more web services to enhance our ability to build solutions:
- Web Service for Certificate Management
- Web Service for Privileged Access Management
These are REST web services which allow developers to integrate identity and access processes into their solutions.
MIM 2016 SP1 conserves your investment in FIM solutions, while offering new functionality to address emerging challenges.
Oxford Computer Group offers a range of consulting services to support you in your move to MIM 2016, from FIM 2010 Healthchecks, through to planning and deployment support for Privileged Access Management and Role-based Access Control. Find out more! Thank you for your interest!
- For deprecated FIM features go here.
- For available MIM connectors go here.
- For more about licensing go here – sadly this is slightly old and contains broken links, but it is the best summary of licensing of FIM and MIM from Microsoft currently available!
- Finally, be sure to read my very popular blog Microsoft Identity Manager – MIM – 2016 Service Pack 1.