How MIM & Azure AD Connect enable hybrid identity webinar: Qs & As

Judging by the very high number of registrations for my webinar “How MIM and Azure AD Connect enable hybrid identity”, and the questions asked at the end (which I answer in full below), there’s a great deal of interest in this subject!

Note: Since the video was recorded, Microsoft rebranded Azure AD Connect to Microsoft Entra Connect and rebranded Office 365 to Microsoft 365.

Watch the recording here.

The premise of my webinar was that MIM and Azure AD Connect (Microsoft Entra Connect) are as important as ever as cloud enablers. I provided a rapid, practical rundown of how and why they enable hybrid identity (including pluses and minuses and do’s and don’ts) and covered the following questions:

  • Why are so many organizations installing MIM for the first time as part of their cloud identity strategy?
  • Is it really still necessary to have two on-premises synchronization engines – MIM and Azure AD Connect – to support Office 365 (Microsoft 365) workloads? Why might you still need MIM and Azure AD Connect?
  • Does AD FS still have a place alongside Azure AD Connect?
  • When will you be able to turn off MIM? When will you be able to turn off Azure AD Connect?

Some great questions were also asked in the Q&A session at the end of the webinar – and, as promised, here are more detailed answers.

How does MIM compare with Federation?

Federation allows one security realm (such as a cloud directory) to trust another (such as an on-premises directory) – both to authenticate users on its behalf (which can provide true single sign-on), and also to provide authorization information.

MIM (in this context) only concerns itself with synchronizing identity data (including passwords) – potentially providing the same sign-on (using the same credentials) on premises at least. So they don’t compare well.

In my webinar I showed MIM and Azure AD Connect working together, and this question may be more about that overall architecture. If we extend this question to encompass that, then we must say that Azure AD Connect offers various ways in which cloud authentication can be associated with your on-premises directory. Password hash synchronization (PHS) resembles what MIM does, in that it provides the same sign-on – but importantly it is a hash that is synchronized (it is more secure). You can achieve something comparable to Federation by using Azure AD Connect’s pass-through authentication (PTA) and Seamless Single Sign-on features together.

This probably warrants a much longer conversation – and of course, we cover it in detail in our Microsoft Entra Connect Masterclass.

How does it do synchronization of passwords/non-reversible encryption, etc?

Widening “it” to mean MIM and Azure AD Connect: MIM synchronizes plain text passwords that it receives from a service running on a domain controller. It does so through secure channels (but note that because MIM is a highly flexible tool, there is nothing to stop you from writing a connector to a service that sends passwords over a non-secure channel – but why would you?)

If you use Azure AD self-service password reset, you can configure Azure AD Connect to write back those passwords to on-premises AD. That is done in real-time, respecting on-premises policies – but securely, through outbound-only connections. If PHS is in use, it reads the new password hash (and indeed this applies for any type of password change) salts it, hashes it again 1024 times, and sends it to Azure AD. During subsequent authentication, Azure AD repeats the hashing process to compare with the stored hash.

When does MIM go ‘end of life’? Can we be sure that Microsoft will support it in the future?

Microsoft continues to update MIM, but as there has not been a new version since 2016, by default (like any Microsoft product) it will cease to be supported in 2029. We can’t speak for Microsoft about whether there will be a new version, or whether support will be extended – and I recommend that you ask them! What we can say is:

  • There are a lot of globally significant organizations that depend on MIM, so it is hard to think that the rug would be pulled from under them– at least not without a replacement.
  • The Microsoft cloud synchronization story is developing, and meanwhile, they are indicating that support for MIM will continue in some form for many years. Microsoft makes no secret about its plans to move identity services to the cloud, but it is not going to be abandoning the hybrid identity model any time soon.
  • As and when a replacement for MIM exists (and apart from anything Microsoft is doing, we know of at least one organization that is working on a direct cloud alternative to MIM) there will be at least one migration path, and
  • Oxford Computer Group companies will be active in supporting organizations through this.
  • In any MIM implementation, the actual technical implementation is not usually the major part of the work. A great deal of effort goes into cleaning up data and external processes and into the MIM architecture (defining a schema, what you connect to, and how identity data flows). This work is of great value even if you have to move to a new technical solution one day. Oxford Computer Group companies have migrated many organizations from other technologies to MIM, and these are generally much easier than fresh builds.

Is there a green start alternative to starting in the cloud only (when there is no on-prem AD already and the company is starting up with no history)?

That is just a matter of signing up for Azure AD (Microsoft Entra ID), and immediately benefitting from the security and governance features provided. You would need to look into cloud file and print services (which would traditionally be provided by a local AD).

What does the data warehousing feature provide, and does it integrate with Power BI?

This webinar was all about synchronization services provided by MIM and Azure AD Connect. MIM has another service (called – sparingly – “the MIM Service”!) which provides UI features and workflows. The Power BI reporting capability mentioned in the question is associated with that service and therein lies another discussion entirely. If you are only using MIM’s synchronization service, then I suggest you take a look at Identity Panel, from Software IDM for your reporting needs.

But to answer the question, MIM reporting utilizes System Center data warehousing. If you already have that it makes sense to utilize it, but it is a heavy lift to deploy that infrastructure just to support MIM reporting. I know of no specific PowerBI offering for MIM, but the data warehouse is built on SQL Server and so – in principle – PowerBI can draw data from it.

If you have any questions, please contact me!

Find out more about our Microsoft Entra Connect training, webinar recordings, tools, and other resources.