Microsoft Identity Manager 2016 (MIM 2016) is not one product but a family of products working together to mitigate challenges regarding identity management. In this chapter, we will discuss the MIM family and provide a brief overview of the major components available. The following diagram shows a high-level overview of the MIM family and the components relevant to an MIM 2016 implementation:
Within the MIM family, there are some parts that can live by themselves and others that depend on other parts. To fully utilize the power of MIM 2016, you should have all the parts in place, if possible. At the center, we have MIM Service and MIM Synchronization Service (MIM Sync). The key to a successful implementation of MIM 2016 is to understand how these two components work—by themselves as well as together.
The name of our fictitious company is The Financial Company. The Financial Company is neither small nor big. We will not give you any indication of the size of this company because we do not want you to take our example setup as being optimized for a company of a particular size, although we will provide some rough sizing guidelines later.
As with many other companies, The Financial Company tries to keep up with modern techniques within their IT infrastructure and is greatly concerned with unauthorized security issues. They are a big fan of Microsoft and live by the following principle:
If Microsoft has a product that can do it, let's try that one first.
The concept of cloud computing is still somewhat fuzzy to them, and they do not yet know how or when they will be using it. They do understand that in the near future, this technology will be an important factor for them, so they have decided that for every new system or function that needs to be implemented, they will take cloud computing into account.
During a recent inventory of the systems and functions that their IT department supported, a number of challenges were found. We will now have a look at some of the identity management (IdM)-related challenges that were uncovered.
The Financial Company discovered a new employee or contractor may wait up to a week before accounts are provisioned to the various required systems, and the correct access is granted to each person to do his/her job. The Financial Company would like account provisioning and proper access granted within a few hours.
A number of identity life cycle management issues were found.
Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or after they changed their job. The termination and disabling of identities was also sometimes missed. A security review found active accounts of users who had left the company more than six months ago.
The security review found one HR consultant who had left The Financial Company months ago that still had VPN access and an active administrative HR account. The access should have been disabled when the project was completed and the consultant's contract had ended.
The Financial Company would like a way of defining identity management policies and a tool that detects anomalies and enforces their business policies. The Financial Company would like business policy enforcement to take no more than a few hours.
The Financial Company has been successful in reducing the number of powerful administrative accounts over the last few years; however, a few still exist. There are also other highly privileged accounts and a few highly privileged digital identities, such as code signing certificates. The concern is that the security of these accounts is not as strong as it should be.
Public key infrastructure (PKI) within The Financial Company is a one-layer PKI, using an Enterprise Root CA without hardware security module (HSM). The CSO is concerned that it is not sufficient to start using smart cards because he feels the assurance level of the PKI is not high enough.
The helpdesk at The Financial Company spends a lot of time helping users who have forgotten their password. Password resets are done for internal users as well as partners with access to shared systems.
The Financial Company found that they had no processes or tools in place to trace the status of identities and roles historically. They wanted to be able to answer questions such as:
Who was a member of the Domain Admins group in April?
When was John's account disabled, and who approved it?
The following diagram gives you an overview of the relevant parts of the current infrastructure within The Financial Company:
The diagram does not represent any scaling scenarios but rather shows the different functions we will be using in this book.
In the following table, you will find a short summary of the systems involved:
All systems have Microsoft Windows Server 2012 R2 as the operating system.
The products installed or to be installed show the status of the systems when we start our journey in this book. Details about the features and products already installed will be explained in Chapter 2, Installation.
The Active Directory domain within The Financial Company is
thefinancialcompany.net, which uses TFC as the NetBIOS name. The public domain used by The Financial Company is
thefinancialcompany.net; this is also the primary e-mail domain used.
The CIO, CSO, and CTO of The Financial Company found that the solutions explained to them by the identity management company would indeed help mitigate the challenges they were facing. They decided to implement MIM 2016.
In this book, we will follow The Financial Company as it implements MIM 2016. We will take a look at how the different features and functions of MIM 2016 will, in the end, solve all the issues that the company detects.
The use of digital identities through smart cards is very new to them, so they decided that this should initially be implemented as a proof of concept.
In 1999, Microsoft bought a company called Zoomit, which had a product called VIA, a directory synchronization product. Microsoft incorporated Zoomit VIA into the product known as Microsoft Metadirectory Services (MMS). MMS was only available as a Microsoft Consulting Services solution.
Microsoft released Microsoft Identity Integration Server (MIIS) in 2003, which was the first publicly available version of the synchronization engine we know today as MIM 2016 Synchronization Service.
In 2005, Microsoft bought a company called Alacris. Alacris had a product called IdNexus that managed certificates and smart cards, which Microsoft renamed Certificate Lifecycle Manager (CLM).
Microsoft took MIIS (now with Service Pack 2) and CLM and consolidated them into a new product in 2007 called Identity Lifecycle Manager 2007 (ILM 2007). ILM 2007 was a directory synchronization tool with the optional certificate management feature.
In 2010, Microsoft released Forefront Identity Manager 2010 (FIM 2010). FIM 2010 added the FIM Service component, which provides workflow capabilities, self-service capabilities, and a codeless provisioning option to the synchronization engine. Many identity management operations that used to require a lot of coding were suddenly available without a single line of code.
Microsoft announced the acquisition of some of the BHOLD suite in 2011, which is a product that provides identity and access governance functionality. A year later, in 2012, FIM 2010 R2 was released, reporting was added, BHOLD and additional browser support for Password Reset Portal were incorporated, performance was improved, and better troubleshooting capabilities were introduced. Support for Active Directory 2012, SQL Server 2012, and Exchange 2013 was added with FIM 2010 R2 Service Pack 1, which was released in 2013.
Let's take a look at the major components of MIM in the following table:
MIM Synchronization Service is the oldest member of Microsoft's identity family. Anyone who has worked with MIIS 2003, ILM 2007, FIM 2010, or MIM 2016 will find the MIM synchronization engine very similar. Visually, the management tools look the same. MIM Synchronization Service can work by itself without any other MIM component installed, although not all product features are possible using only MIM Synchronization Service.
MIM Synchronization Service is like a heart that pumps identity data between systems. Identity data could be a new user account, an update to someone's department, an updated member of a group, the modification of a contact, and so on. Synchronization is sometimes referred to as data flowing from one system to another, and this is a good way to think of it.
We will explore the MIM Synchronization Service features and dive deeper into why the MIM Synchronization Service is such a powerful tool when leveraged with the rest of the identity management stack.
MIM Portal is usually the starting point for administrators who configure the MIM Service because of its SharePoint recognizable web components. MIM Service has its own database, in which it stores information about the identities it manages. MIM Portal is the way to make changes to these identities, which can trigger changes in other connected systems.
MIM Service plays many roles in MIM, and during the design phase, the capabilities of MIM Service are often in focus. MIM Service allows you to enforce the Identity Management policy within your organization and also makes sure you are compliant at all times.
MIM Portal can be used for self-service scenarios, allowing users to manage some aspect of the Identity Management process. For example, the self-service password reset is only possible after you deploy MIM service.
MIM Portal is actually an ASP.NET application using Microsoft SharePoint as a foundation, and can be modified in many ways. MIM Service adds custom activities around the MIM and cloud integration story.
The configuration of MIM Service is usually done using MIM Portal, but it may also be configured using PowerShell or even your own custom interface.
Certificate Management is an optional MIM component. MIM CM can be, and often is, used by itself without any other parts of MIM being present. It is also the component with the poorest integration with other components.
You will find that it hasn't changed much since its predecessor, Certificate Lifecycle Manager (CLM), was released.
MIM CM is mainly focused on managing smart cards, but it can also be used to manage and trace any type of certificate requests. This also includes machine certificates, but there is a slight limitation when we move to machine certs. FIM CM was developed around the user context.
The basic concept of MIM CM is that a smart card is requested using the MIM CM portal. Information regarding all requests is stored in the MIM CM database.
The certification authority, which handles the issuing of the certificates, is configured to report the status back to the MIM CM database.
The MIM CM portal also contains a workflow engine so that the MIM CM admin can configure features such as e-mail notifications as a part of the policies.
In MIM, we add new features, which include the modern app for Windows. Also, a new REST API will be introduced, which we will explore and configure in conjunction with the modern app with MIM CM.
During the configuration, we'll explore the authentication and authorization settings in more detail. This will enable you to fully understand the permission model around MIM CM that is required.
BHOLD is one of the newest members of MIM and was introduced in Forefront Identity Manager 2010. The acquisition helped customers implement and overcome compliance issues, IT security issues, operational fantasy, and business agility. One of the benefits of BHOLD is that we can easily define and manage access-based user roles that also regularly ensure that access rates are maintained. Also, the integration between BHOLD and FIM enables users with a self-service access request and approval process.
The BHOLD suite encompasses its own reporting analytics, which is the model generator to define working with roles. We will dive into the attestation engine's core role within BHOLD and deployment scenarios. In all these components, the BHOLD core is required. In the coming chapters, we will discuss and touch upon what all of these available suites do and the capability they bring to your organization.
Reporting was brand new to FIM and added the capability to audit users and groups via completed MIM Portal requests. This MIM component provides integrated reporting with System Center Service Manager as the main engine.
The purpose of Reporting is to give you a chance to view historical data. There are some reports already built into MIM 2016, and organizations also have the option to develop their own reports that comply with their Identity Management policies.
In Chapter 13, Reporting, we will discuss how Reporting works, the main components involved, and how you can create custom reports.
Privilege Access Management (PAM) provides the ability to defend against particular vulnerabilities, such as "pass-the-hash", spear-phishing, and other hacking techniques that attempt to gain high privileges across the enterprise. PAM integrates with Active Directory to apply an expiration to group membership. That is to say, the membership of a highly privileged (and organizationally chosen) group is automatically removed by Active Directory after a specified duration. MIM adds self-service request capabilities, allowing users who are granted the permission to request the membership of a group to receive membership for a specified time. The end result is that people no longer need the permanent membership of highly privileged groups.
We will put this part in here, not to tell you how MIM 2016 is licensed but rather to tell you that it can be complex. Depending on which parts you are using—and, in some cases, how you are using them—you need to buy different licenses. MIM 2016 will continue to use both Server licenses and Client Access Licenses (CALs).
In almost every MIM project, the licensing cost has been negligible compared to the benefit of implementing it (for example, adding up the operational cost of provisioning a single user or resetting a password while considering typos, the accounts not done on time, or those left active that should have been disabled). There are strong reasons for having identity management in every business, and if you are reading this book, we would expect you to have already come to the conclusion that identity management will save you money. But even so, make sure you contact your Microsoft licensing partner or your Microsoft contact to clear any questions you might have about licensing.
Also, note that at the time of writing this book, Microsoft has stated that you can install and use Microsoft System Center Service Manager for MIM Reporting without having to buy SCSM licenses.
Read more about MIM Licensing at http://aka.ms/MIMLicense.
The Financial Company will reduce the new employee account provision time by implementing MIM 2016. MIM 2016 will be used to terminate and disable accounts, manage roles, groups, and secure HPA. Empowering end users to perform self-service password resets will reduce helpdesk calls. You now know a little about the company we will be using in this book to explain concepts. We have outlined the bit of the history of how the product evolved and an overview of each component.
As you can see, Microsoft Identity Manager 2016 is not just one product but a family of products. We gave you a short overview of the different components, new and old, and together, we will go through the challenges of The Financial Company and implement some solutions.
For those who have worked with the previous versions of Microsoft Identity Manager 2016, you will see that the platform has not changed much other than a few additional features and platform-supported items. Still, we will explore the components that have been around for years and provide information you may have missed.
In the next chapter, we will look at how to install and configure some of the MIM components. We will then dig into the component details. In some areas, we will go deeper than others because we feel there is a lack of good material on the topic. There is a lot of material to cover, and at one point, we needed to make a judgment call on what would help the largest amount of people while keeping the book at a reasonable size.