Search icon
Cart icon
Close icon
You have no products in your basket yet
Save more on your purchases!
Savings automatically calculated. No voucher code required
Arrow left icon
All Products
Best Sellers
New Releases
Learning Hub
Free Learning
Arrow right icon
Over 7,000 tech titles at $9.99 each with AI-powered learning assistants on new releases
Microsoft Identity Manager 2016 Handbook
Microsoft Identity Manager 2016 Handbook

Microsoft Identity Manager 2016 Handbook: A complete handbook on Microsoft Identity Manager 2016 – from design considerations to operational best practices

By David Steadman , Jeff Ingalls
$51.99 $9.99
Book Jul 2016 692 pages 1st Edition
$51.99 $9.99
$15.99 Monthly
$51.99 $9.99
$15.99 Monthly

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Buy Now

Product Details

Publication date : Jul 19, 2016
Length 692 pages
Edition : 1st Edition
Language : English
ISBN-13 : 9781785283925
Vendor :
Category :
Table of content icon View table of contents Preview book icon Preview Book

Microsoft Identity Manager 2016 Handbook

Chapter 1. Overview of Microsoft Identity Manager 2016

Microsoft Identity Manager 2016 (MIM 2016) is not one product but a family of products working together to mitigate challenges regarding identity management. In this chapter, we will discuss the MIM family and provide a brief overview of the major components available. The following diagram shows a high-level overview of the MIM family and the components relevant to an MIM 2016 implementation:

Within the MIM family, there are some parts that can live by themselves and others that depend on other parts. To fully utilize the power of MIM 2016, you should have all the parts in place, if possible. At the center, we have MIM Service and MIM Synchronization Service (MIM Sync). The key to a successful implementation of MIM 2016 is to understand how these two components work—by themselves as well as together.

The Financial Company

The name of our fictitious company is The Financial Company. The Financial Company is neither small nor big. We will not give you any indication of the size of this company because we do not want you to take our example setup as being optimized for a company of a particular size, although we will provide some rough sizing guidelines later.

As with many other companies, The Financial Company tries to keep up with modern techniques within their IT infrastructure and is greatly concerned with unauthorized security issues. They are a big fan of Microsoft and live by the following principle:

If Microsoft has a product that can do it, let's try that one first.

The concept of cloud computing is still somewhat fuzzy to them, and they do not yet know how or when they will be using it. They do understand that in the near future, this technology will be an important factor for them, so they have decided that for every new system or function that needs to be implemented, they will take cloud computing into account.

The challenges

During a recent inventory of the systems and functions that their IT department supported, a number of challenges were found. We will now have a look at some of the identity management (IdM)-related challenges that were uncovered.

Provisioning of users

The Financial Company discovered a new employee or contractor may wait up to a week before accounts are provisioned to the various required systems, and the correct access is granted to each person to do his/her job. The Financial Company would like account provisioning and proper access granted within a few hours.

The identity life cycle procedures

A number of identity life cycle management issues were found.

Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or after they changed their job. The termination and disabling of identities was also sometimes missed. A security review found active accounts of users who had left the company more than six months ago.

The security review found one HR consultant who had left The Financial Company months ago that still had VPN access and an active administrative HR account. The access should have been disabled when the project was completed and the consultant's contract had ended.

The Financial Company would like a way of defining identity management policies and a tool that detects anomalies and enforces their business policies. The Financial Company would like business policy enforcement to take no more than a few hours.

Highly privileged accounts (HPA)

The Financial Company has been successful in reducing the number of powerful administrative accounts over the last few years; however, a few still exist. There are also other highly privileged accounts and a few highly privileged digital identities, such as code signing certificates. The concern is that the security of these accounts is not as strong as it should be.

Public key infrastructure (PKI) within The Financial Company is a one-layer PKI, using an Enterprise Root CA without hardware security module (HSM). The CSO is concerned that it is not sufficient to start using smart cards because he feels the assurance level of the PKI is not high enough.

Password management

The helpdesk at The Financial Company spends a lot of time helping users who have forgotten their password. Password resets are done for internal users as well as partners with access to shared systems.


The Financial Company found that they had no processes or tools in place to trace the status of identities and roles historically. They wanted to be able to answer questions such as:

  • Who was a member of the Domain Admins group in April?

  • When was John's account disabled, and who approved it?

The environment

The following diagram gives you an overview of the relevant parts of the current infrastructure within The Financial Company:

The diagram does not represent any scaling scenarios but rather shows the different functions we will be using in this book.

In the following table, you will find a short summary of the systems involved:



Products installed/to be installed


This is the domain controller for the Active Directory domain

The AD DS and DNS roles need to be installed.


This is the Enterprise Root CA. The Financial Company uses only a one-layer PKI without any HSM.

AD CS, including the Web Enrollment role, needs to be installed.


The central Microsoft SQL server is used by many systems. Among these systems are the HR and Phone systems.

SQL Server 2014, including Integration Services, needs to be installed.


This is the e-mail system.

Exchange 2013 needs to be installed.


This is the test and development server for MIM.

SQL Server 2014 and Visual Studio 2013, along with MIM Sync, Service, and Portal, need to be installed.


This is the MIM Synchronization server.

MIM Synchronization service.


This is the MIM Web Service and Portal server.

MIM Service and MIM Portal need to be installed.


This is the MIM Certificate Management server.

MIM CM Service and Portal need to be installed.


This is the MIM Password Registration and Reset server.

MIM Password Registration and Reset need to be installed.


This is the SCSM Management server used by MIM Reporting.

SQL Server 2014 and System Center Service Manager need to be installed.


SCSM Data Warehouse server used by MIM Reporting.

SQL Server 2014 and System Center Service Manager need to be installed.

All systems have Microsoft Windows Server 2012 R2 as the operating system.

The products installed or to be installed show the status of the systems when we start our journey in this book. Details about the features and products already installed will be explained in Chapter 2, Installation.

The Active Directory domain within The Financial Company is, which uses TFC as the NetBIOS name. The public domain used by The Financial Company is; this is also the primary e-mail domain used.

Moving forward

The CIO, CSO, and CTO of The Financial Company found that the solutions explained to them by the identity management company would indeed help mitigate the challenges they were facing. They decided to implement MIM 2016.

In this book, we will follow The Financial Company as it implements MIM 2016. We will take a look at how the different features and functions of MIM 2016 will, in the end, solve all the issues that the company detects.

The use of digital identities through smart cards is very new to them, so they decided that this should initially be implemented as a proof of concept.

The history of Microsoft Identity 2016

In 1999, Microsoft bought a company called Zoomit, which had a product called VIA, a directory synchronization product. Microsoft incorporated Zoomit VIA into the product known as Microsoft Metadirectory Services (MMS). MMS was only available as a Microsoft Consulting Services solution.

Microsoft released Microsoft Identity Integration Server (MIIS) in 2003, which was the first publicly available version of the synchronization engine we know today as MIM 2016 Synchronization Service.

In 2005, Microsoft bought a company called Alacris. Alacris had a product called IdNexus that managed certificates and smart cards, which Microsoft renamed Certificate Lifecycle Manager (CLM).

Microsoft took MIIS (now with Service Pack 2) and CLM and consolidated them into a new product in 2007 called Identity Lifecycle Manager 2007 (ILM 2007). ILM 2007 was a directory synchronization tool with the optional certificate management feature.

In 2010, Microsoft released Forefront Identity Manager 2010 (FIM 2010). FIM 2010 added the FIM Service component, which provides workflow capabilities, self-service capabilities, and a codeless provisioning option to the synchronization engine. Many identity management operations that used to require a lot of coding were suddenly available without a single line of code.

Microsoft announced the acquisition of some of the BHOLD suite in 2011, which is a product that provides identity and access governance functionality. A year later, in 2012, FIM 2010 R2 was released, reporting was added, BHOLD and additional browser support for Password Reset Portal were incorporated, performance was improved, and better troubleshooting capabilities were introduced. Support for Active Directory 2012, SQL Server 2012, and Exchange 2013 was added with FIM 2010 R2 Service Pack 1, which was released in 2013.

Components at a glance

Let's take a look at the major components of MIM in the following table:




MIM Synchronization Service, Sync Engine, or MIM Sync

This is the Windows service that handles identity and password synchronization between systems.

The MIM component is required. It uses the SQL database to store its configuration and configured identity information.

MIM Portal

This is the IIS website that can be used for administrative management and user self-service.

It uses SQL database to store its schema, policies, and identity information. This is required for codeless provisioning.

MIM Service

This is the Windows service that provides MIM Portal with web APIs.

It is an optional MIM component. This is required if you want to deploy MIM Portal or the self-service password reset.


This is the suite of services and tools that integrates with MIM and enhances its offerings by adding RBAC, attestation, analytics, and role reporting.

This is an optional MIM component. It uses the SQL database and IIS and is a required component if you want RBAC.


Adds new tables and the SQL agent job to allow SCSM to interact with MIM Service to produce historical reports.

This is an optional MIM component. It uses SQL Server Reporting Service, SCSM, and Data Warehouse.

MIM Synchronization Service

MIM Synchronization Service is the oldest member of Microsoft's identity family. Anyone who has worked with MIIS 2003, ILM 2007, FIM 2010, or MIM 2016 will find the MIM synchronization engine very similar. Visually, the management tools look the same. MIM Synchronization Service can work by itself without any other MIM component installed, although not all product features are possible using only MIM Synchronization Service.

MIM Synchronization Service is like a heart that pumps identity data between systems. Identity data could be a new user account, an update to someone's department, an updated member of a group, the modification of a contact, and so on. Synchronization is sometimes referred to as data flowing from one system to another, and this is a good way to think of it.

We will explore the MIM Synchronization Service features and dive deeper into why the MIM Synchronization Service is such a powerful tool when leveraged with the rest of the identity management stack.

MIM Portal and Service

MIM Portal is usually the starting point for administrators who configure the MIM Service because of its SharePoint recognizable web components. MIM Service has its own database, in which it stores information about the identities it manages. MIM Portal is the way to make changes to these identities, which can trigger changes in other connected systems.

MIM Service plays many roles in MIM, and during the design phase, the capabilities of MIM Service are often in focus. MIM Service allows you to enforce the Identity Management policy within your organization and also makes sure you are compliant at all times.

MIM Portal can be used for self-service scenarios, allowing users to manage some aspect of the Identity Management process. For example, the self-service password reset is only possible after you deploy MIM service.

MIM Portal is actually an ASP.NET application using Microsoft SharePoint as a foundation, and can be modified in many ways. MIM Service adds custom activities around the MIM and cloud integration story.

The configuration of MIM Service is usually done using MIM Portal, but it may also be configured using PowerShell or even your own custom interface.

MIM Certificate Management

Certificate Management is an optional MIM component. MIM CM can be, and often is, used by itself without any other parts of MIM being present. It is also the component with the poorest integration with other components.

You will find that it hasn't changed much since its predecessor, Certificate Lifecycle Manager (CLM), was released.

MIM CM is mainly focused on managing smart cards, but it can also be used to manage and trace any type of certificate requests. This also includes machine certificates, but there is a slight limitation when we move to machine certs. FIM CM was developed around the user context.

The basic concept of MIM CM is that a smart card is requested using the MIM CM portal. Information regarding all requests is stored in the MIM CM database.

The certification authority, which handles the issuing of the certificates, is configured to report the status back to the MIM CM database.

The MIM CM portal also contains a workflow engine so that the MIM CM admin can configure features such as e-mail notifications as a part of the policies.

In MIM, we add new features, which include the modern app for Windows. Also, a new REST API will be introduced, which we will explore and configure in conjunction with the modern app with MIM CM.

During the configuration, we'll explore the authentication and authorization settings in more detail. This will enable you to fully understand the permission model around MIM CM that is required.

Role-Based Access Control (RBAC) with BHOLD

BHOLD is one of the newest members of MIM and was introduced in Forefront Identity Manager 2010. The acquisition helped customers implement and overcome compliance issues, IT security issues, operational fantasy, and business agility. One of the benefits of BHOLD is that we can easily define and manage access-based user roles that also regularly ensure that access rates are maintained. Also, the integration between BHOLD and FIM enables users with a self-service access request and approval process.

The BHOLD suite encompasses its own reporting analytics, which is the model generator to define working with roles. We will dive into the attestation engine's core role within BHOLD and deployment scenarios. In all these components, the BHOLD core is required. In the coming chapters, we will discuss and touch upon what all of these available suites do and the capability they bring to your organization.

MIM Reporting

Reporting was brand new to FIM and added the capability to audit users and groups via completed MIM Portal requests. This MIM component provides integrated reporting with System Center Service Manager as the main engine.

The purpose of Reporting is to give you a chance to view historical data. There are some reports already built into MIM 2016, and organizations also have the option to develop their own reports that comply with their Identity Management policies.

In Chapter 13, Reporting, we will discuss how Reporting works, the main components involved, and how you can create custom reports.

Privilege Access Management

Privilege Access Management (PAM) provides the ability to defend against particular vulnerabilities, such as "pass-the-hash", spear-phishing, and other hacking techniques that attempt to gain high privileges across the enterprise. PAM integrates with Active Directory to apply an expiration to group membership. That is to say, the membership of a highly privileged (and organizationally chosen) group is automatically removed by Active Directory after a specified duration. MIM adds self-service request capabilities, allowing users who are granted the permission to request the membership of a group to receive membership for a specified time. The end result is that people no longer need the permanent membership of highly privileged groups.


We will put this part in here, not to tell you how MIM 2016 is licensed but rather to tell you that it can be complex. Depending on which parts you are using—and, in some cases, how you are using them—you need to buy different licenses. MIM 2016 will continue to use both Server licenses and Client Access Licenses (CALs).

In almost every MIM project, the licensing cost has been negligible compared to the benefit of implementing it (for example, adding up the operational cost of provisioning a single user or resetting a password while considering typos, the accounts not done on time, or those left active that should have been disabled). There are strong reasons for having identity management in every business, and if you are reading this book, we would expect you to have already come to the conclusion that identity management will save you money. But even so, make sure you contact your Microsoft licensing partner or your Microsoft contact to clear any questions you might have about licensing.

Also, note that at the time of writing this book, Microsoft has stated that you can install and use Microsoft System Center Service Manager for MIM Reporting without having to buy SCSM licenses.

Read more about MIM Licensing at


The Financial Company will reduce the new employee account provision time by implementing MIM 2016. MIM 2016 will be used to terminate and disable accounts, manage roles, groups, and secure HPA. Empowering end users to perform self-service password resets will reduce helpdesk calls. You now know a little about the company we will be using in this book to explain concepts. We have outlined the bit of the history of how the product evolved and an overview of each component.

As you can see, Microsoft Identity Manager 2016 is not just one product but a family of products. We gave you a short overview of the different components, new and old, and together, we will go through the challenges of The Financial Company and implement some solutions.

For those who have worked with the previous versions of Microsoft Identity Manager 2016, you will see that the platform has not changed much other than a few additional features and platform-supported items. Still, we will explore the components that have been around for years and provide information you may have missed.

In the next chapter, we will look at how to install and configure some of the MIM components. We will then dig into the component details. In some areas, we will go deeper than others because we feel there is a lack of good material on the topic. There is a lot of material to cover, and at one point, we needed to make a judgment call on what would help the largest amount of people while keeping the book at a reasonable size.

Left arrow icon Right arrow icon

Key benefits

  • Get to grips with the basics of identity management and get acquainted with the MIM components and functionalities
  • Discover the newly-introduced product features and how they can help your organization
  • A step-by-step guide to enhance your foundational skills in using Microsoft Identity Manager from those who have taught and supported large and small enterprise customers


Microsoft Identity Manager 2016 is Microsoft’s solution to identity management. When fully installed, the product utilizes SQL, SharePoint, IIS, web services, the .NET Framework, and SCSM to name a few, allowing it to be customized to meet nearly every business requirement. The book is divided into 15 chapters and begins with an overview of the product, what it does, and what it does not do. To better understand the concepts in MIM, we introduce a fictitious company and their problems and goals, then build an identity solutions to fit those goals. Over the course of this book, we cover topics such as MIM installation and configuration, user and group management options, self-service solutions, role-based access control, reducing security threats, and finally operational troubleshooting and best practices. By the end of this book, you will have gained the necessary skills to deploy, manage and operate Microsoft Identity Manager 2016 to meet your business requirements and solve real-world customer problems.

What you will learn

[*]Install MIM components [*]Find out about the MIM synchronization, its configuration settings, and advantages [*]Get to grips with the MIM service capabilities and develop custom activities [*]Use the MIM Portal to provision and manage an account [*]Mitigate access escalation and lateral movement risks using privileged access management [*]Configure client certificate management and its detailed permission model [*]Troubleshoot MIM components by enabling logging and reviewing logs [*]Back up and restore the MIM 2015 configuration [*]Discover more about periodic purging and the coding best practices

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Buy Now

Product Details

Publication date : Jul 19, 2016
Length 692 pages
Edition : 1st Edition
Language : English
ISBN-13 : 9781785283925
Vendor :
Category :

Table of Contents

22 Chapters
Microsoft Identity Manager 2016 Handbook Chevron down icon Chevron up icon
Credits Chevron down icon Chevron up icon
About the Authors Chevron down icon Chevron up icon
About the Reviewers Chevron down icon Chevron up icon Chevron down icon Chevron up icon
Preface Chevron down icon Chevron up icon
1. Overview of Microsoft Identity Manager 2016 Chevron down icon Chevron up icon
2. Installation Chevron down icon Chevron up icon
3. MIM Sync Configuration Chevron down icon Chevron up icon
4. MIM Service Configuration Chevron down icon Chevron up icon
5. User Management Chevron down icon Chevron up icon
6. Group Management Chevron down icon Chevron up icon
7. Role-Based Access Control with BHOLD Chevron down icon Chevron up icon
8. Reducing Threats with PAM Chevron down icon Chevron up icon
9. Password Management Chevron down icon Chevron up icon
10. Overview of Certificate Management Chevron down icon Chevron up icon
11. Installation and the Client Side of Certificate Management Chevron down icon Chevron up icon
12. Certificate Management Scenarios Chevron down icon Chevron up icon
13. Reporting Chevron down icon Chevron up icon
14. Troubleshooting Chevron down icon Chevron up icon
15. Operations and Best Practices Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon

Customer reviews

Filter icon Filter
Top Reviews
Rating distribution
Empty star icon Empty star icon Empty star icon Empty star icon Empty star icon 0
(0 Ratings)
5 star 0%
4 star 0%
3 star 0%
2 star 0%
1 star 0%

Filter reviews by

No reviews found
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial


How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to
  • To contact us directly if a problem is not resolved, use
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.