What is the future of MIM? Is Microsoft Identity Manager reaching end of life? Do I need to move to another platform? What are the options? Here’s our take.
Who is this blog for?
People often ask us if it’s the end of the road for MIM and what they should do next. I aim to present some answers in this blog.
From the original release of Microsoft Identity Integration Server almost 20 years ago, to the current rich, ever-expanding, modern feature set of Azure Active directory, the Microsoft identity stack continues to be an incredible success. This blog assumes that you are already on your journey towards the modern, cloud-oriented world that Azure AD/Microsoft Office can provide, but that MIM is still an important part of your infrastructure. Like many of our customers, you may also be wondering what to do next as MIM “end of life” approaches.
The blog goes into some detail about the MIM functionality which can’t (as yet) be migrated to the cloud. It provides some guidance, from the perspective of a long-term Microsoft partner, about various courses of action you might take. It discusses some Microsoft-friendly tools that can augment, partially replace, or fully replace MIM.
If you are looking for a blog about the huge benefits of Azure AD, or a general discussion of all the vendor platforms available for managing your cloud identities, this is not the blog you are looking for. But, if you’re looking for our opinion about what is the future of MIM, read on!
Also see these answers to some recent questions on MIM upgrade and deployment from Mark Wahl, Microsoft’s IAM/IGA software architect and Principal Program Manager.
Why is MIM important?
Microsoft Identity Manager (MIM) – and its predecessors – has proved to be affordable, flexible and robust. As a result, it has been deployed successfully in many different environments. Much of its functionality can be (and is being) smoothly migrated to the cloud (to Azure AD), but there are some functions which Azure AD does not cover, and which MIM covers very well. This should not be a surprise, because they are not alternatives – they are not trying to solve the exact same set of problems, but rather a somewhat overlapping set of problems.
MIM is now in extended support, and will be so until early 2026. So if you have an Azure AD Premium subscription you still get standard support with a few caveats. After that various paid for support options will be available – from Microsoft or partners like Oxford Computer Group (OCG) – and in any case your MIM solution will not suddenly stop working. Meanwhile Microsoft continues to release functionality in its cloud offerings that can replace MIM functionality (though as yet that is not a total replacement).
What are the options?
Microsoft is well aware of the varied identity and access management requirements that exist, and they are developing their Azure AD capabilities to cover these – so the answer to this question will need to be re-evaluated over time. As discussed above, organizations have until early 2026 to either:
- Replace MIM entirely with Microsoft cloud functionality (Azure AD)
- Replace most of the MIM functionality with Microsoft cloud functionality, and select and implement a tool (presumably from a Microsoft-friendly vendor) to replace the remaining functionality
- Stay with MIM because the level of support needed can be provided by, for example, OCG
- Migrate to a different vendor altogether
Should we move to another platform?
We can’t be sure right now what things will look like at the end of standard MIM support in 2026 and there is no need to rush into an implementation that may not turn out to be optimal. Also, having taken soundings from Microsoft, other partners and our customers, we are confident that Microsoft will replace MIM functionality with technologies that offer a tight fit to Azure AD, and that meet changing IAM requirements.
What are the risks of switching to another vendor?
If an organization is minded to move to another vendor anyway (perhaps recognizing the need for a heavyweight governance solution) then there is probably no reason to hold back. But switching to another vendor just to replace MIM functionality is a risk, and should certainly not be rushed into.
During a number of engagements, Oxford Computer Group has come across some very expensive, very time-consuming migrations to other vendor platforms, which in some cases do not even work properly. We have even achieved considerable annual savings for customers migrating to MIM from other vendor platforms.
We also see script-based solutions being sold as IAM. While these can be quick and cheap to install, they lack the robustness and integrity that an IAM solution demands. This kind of approach can end up polluting Active Directory with poor quality data, which compromises later phases of IAM (such as role management and privileged access management).
Identity and Access Management (IAM) is changing, and any vendor offering may become obsolete. It is also worth noting that anyone with Azure AD Premium can use MIM free of charge, so migrating away from it could (at best) be an expensive way of only getting to where you are now. If your processes are well sorted out and embedded in MIM, the right kind of controlled migration, at the right time, may be quite easy, while replacing the entire platform may be like going back to square one.
Why implement MIM now?
MIM can be thought of in two parts. The Portal provides group management, self-service, SSPR and workflows. And the synchronization service handles provisioning and ensures identity data consistency between various repositories.
Most of the functions of the Portal can readily be provided by Azure AD,. However, at least on the Microsoft platform, the MIM synchronization service is still the only game in town when it comes to all but the simplest integrations between Active Directory and sources of truth such as HR – this is especially the case where there are multiple sources of truth. License fees are very much at the modest end of the range, while the cost of implementation is comparable to other proper IAM systems.
You only need to utilise those features of MIM which you cannot implement via Azure AD (for example). There are paths available, or opening up, to support the move to hybrid cloud, and perhaps one day to cloud-only – or simply away from MIM if that turns out to be the right choice.
So organizations are implementing MIM now (particularly MIM sync), because it does represent a relatively cheap and effective solution – even if (as a worst case) it only lasts for four years. These organizations are not short-sighted, they are pragmatic.
Technical FAQs about migrating from MIM to Azure AD
Can MIM SSPR be migrated to Azure AD?
Yes. Azure AD Premium includes self-service password reset (SSPR) in the cloud. If Azure AD Connect’s password writeback feature is in use, a user can reset their on-premises AD password (as well as their Azure AD cloud password via password hash synchronization). Although not an exact feature for feature replacement, Azure AD Premium SSPR can easily be argued to be more convenient, and more secure, than that available through the MIM Portal.
Can MIM group management be migrated to Azure AD?
Mostly. Azure AD Premium provides broadly the same functionality for cloud groups as the MIM Portal does for on-premises groups. However, at the time of writing, while on-premises groups can be synchronized up to the cloud, write-back from cloud groups to on-premises groups is limited to distribution lists i.e. you can’t write back to on-premises security groups (at least in supported configurations). It would not be surprising if this changed soon, but if management of on-premises security groups is a must-have for an organization right now, then an additional tool will be required if the MIM Portal is to be replaced (see below).
Can MIM provisioning be migrated to Azure AD?
Some now, more later, maybe everything eventually. MIM is highly flexible when it comes to provisioning, but it generally requires code to be written. MIM can also be extended to connect to just about any system by writing more code in the form of an “ECMA2” (effectively a custom connector).
Azure AD provides excellent functionality for codeless provisioning of accounts into many cloud-based systems. It can also provision to on-premises applications using SCIM, or to legacy applications using the very same ECMA2 “connectors” that MIM uses. This latter capability is an invitation-only preview at the time of writing, but it is clear enough where this is going. So, although there are a few caveats, and this is not a feature for feature replacement, it does look as though Azure AD will have this area pretty well covered.
Can Azure AD handle multiple sources of truth (e.g. HR systems) as MIM does?
Not yet. The MIM synchronization engine is particularly good at connecting to, and importing identity data from, multiple sources of truth (HR, temporary staff, student enrolment etc.), and then generating an authoritative, canonical representation of each identity. Azure AD (along with Azure AD Connect) has limited capability in this regard. So, in all but the simplest situations, this remains one area where a MIM, or a third-party tool, is still required (see below). However, a lot can – and probably will – happen in the next four years.
Can Azure AD replace PCNS?
Not at present as far as we know. The Password Change Notification Service (PCNS) captures AD password changes and forwards them to MIM, which can send them to target systems. If you use PCNS we recommend that you stick with MIM for the time being. We know of at least one vendor who plans to provide an alternative – so watch this space.
Can MIM Portal workflows be replaced by Azure AD functionality?
Not directly. In our experience, many organizations are using some fairly simple workflows (for example for group management approvals), which can be readily replaced by comparable functionality in Azure AD. However, a small but important percentage of organizations have invested significantly in MIM workflows and/or other MIM Portal functionality – for such cases there is no obvious Microsoft migration path. This has prompted Oxford Computer Group companies to make investments in cloud functionality (within Azure) which can provide a migration path (see below).
Can Azure AD replace BHOLD functionality?
BHOLD was a role management addition to the MIM synchronization engine which is now effectively deprecated. The role management approach within Azure AD is much more sophisticated and may well be all that is needed for an organization intending to be cloud-oriented. However, Azure AD does not offer generic on-premises role management, so any organization looking for an equivalent to MIM plus BHOLD functionality will likely have to look for a third party tool (see below).
Microsoft-friendly tools to augment and/or replace MIM
There are many tools that can add functionality to MIM, support migration away from MIM, or even replace MIM altogether. We present just three here. The criteria for selection are:
- No pressure to move away from the Microsoft platform (this is what we mean by “Microsoft friendly”)
- Fully supportive of MIM (can co-exist), with a clear migration path to something else (can replace)
- We have experience of implementing them, and so can give you authoritative information
In the interests of full disclosure, IBIS and ISABUS have been developed by Oxford Computer Group companies.
The Identity Panel Suite is cloud-based and is centred around, and complementary to, Azure AD. There are five applications:
- Identity Panel is able to import data from cloud and on-premises sources, providing auditing, monitoring (health), reporting, and workflow features (triggered by changes to identity data, or based on date/time). The key message here is that it can do all this for MIM, including scheduling it.
- HyperSync Panel is a general-purpose synchronization engine for on-premises and cloud systems, including cloud to cloud. The key message here is that it is a replacement for the MIM synchronization engine (with improvements).
- Access Panel is a generic role management application, including roles-based access control (RBAC), attribute-based access control (ABAC), segregation of duties (SoD), attestation campaigns etc. The key message here is that it is a replacement for BHOLD (and much more)
- Service Panel is a web-based and fully customizable portal for managing identity data – white pages for users, a user-management tool for managers, and a service desk (for administrators and help-desk). The key message here is that this is a more or less complete replacement for the MIM Portal.
- Test Panel is a generic, automated testing application for your identity management system – this is entirely additional to MIM functionality.
In summary, the Identity Panel Suite can be implemented alongside MIM, AD and Azure AD – adding capabilities to the platform. It can also facilitate a gradual migration from MIM, replacing those features that Azure AD can’t. SoftwareIDM sees the Identity Panel Suite as much more than a replacement for MIM (with justification). But for our purposes here, the Suite represents a total replacement for MIM.
- Watch a recording of a webinar about SoftwareIDM’s HyperSync Panel from April 2022.
- Read a blog in which I take a closer look at the Identity Panel Suite.
IBIS from Trusted-ID
Trusted-ID is an Oxford Computer Group company based in The Netherlands. Driven by government requirements, identity management platforms in the Netherlands have complicated and fine-grained identity requirements – and Trusted-ID has extended the capabilities of MIM to meet their customers’ requirements. The resulting product has an impressive feature list, including:
- Can be used in addition to MIM or instead of MIM
- Extensive logging and reporting
- Can be deployed on-premises only, off-premises (Azure) only or hybrid (combined) environments
- Event-driven (while MIM is state-driven)
- Optimized for Azure (monthly Azure cost approximately $300-$400)
- Subscription basis
- Regular pen-testing and updates (with security patches if required after pen-testing)
- Imminent releases:
- Smart phone app for approvals (assets, authorizations, onboarding etc.)
- Over 100 standard reports, and growing
We think that diagram below (although clearly aimed at a Netherlands audience and including a sub-set of features) demonstrates the breadth and depth of Trusted-ID’s knowledge and expertise in this area, and the investment they have made to support their customers.
Oxford Computer Group Germany (OCG DE) has produced some excellent extensions to the MIM Portal over many years, including a better interface, role management and reporting. IDABUS, an OCG DE subsidiary, is a cloud-based solution which does everything that the MIM Portal can do and much more (with the exception of things obviously done better by Azure AD, such as SSPR).
It is completely Azure-based (no local servers needed), and uses a subscription model. (An on-premises version is planned for high security environments, or customers without Cloud connections.)
The feature set is that of the MIM Portal, plus
- Roles-based access control (RBAC)
- Very fast resource history, with restore options
- Event Graph, a representation of all data events related to any object in the system, is a powerful tool for troubleshooting and auditing
- Preview/simulation/cancel/correct/resume features for workflows
- Workflows with complex scenarios (sophisticated approval flows)
- Time-triggered workflows
- Connection to any Rest API
- Extended XPATH language with visual builder
- Extensible schema (users, groups, roles, cost centers, org structures etc.)
- Configuration changes without downtime
- MIM migration Tool available (with security checks)
In summary, IDABUS is the MIM Portal on steroids.
This table shows which features are native to which systems:
We have until at least 2026 to track Microsoft’s developments and put in place alternatives as required.
There is already some choice for how to replace MIM functionality, and the next four years will bring more choice.
Of course, every customer has a unique situation, and the best course of action is not the same for everyone.
Talk to us!
Oxford Computer Group has been a very strong Microsoft partner for over 30 years, with wide expertise and experience.
- We do not rely on software sales for our income. We try to present an impartial view on the best way forward.
- We have developed a number of extensions and/or replacements for certain Microsoft identity and access management components which provide additional options for the future.
- We offer industry-leading training courses covering all you need to know to implement and support your Microsoft IAM, and get the most out of your cloud investment.
Please contact me if you have any questions or if you would like to know more!
- Live instructor-led training via Teams from wherever you are
- Online at your own pace – start any time
- Private training exclusively for your IT team – learning together is a top team-building exercise
Learn how to build an HR-driven provisioning solution for your Active Directory and Azure Active Directory with our practical video training.