Microsoft Identity Manager 2016 Handbook

4.8 (11 reviews total)
By David Steadman , Jeff Ingalls
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Overview of Microsoft Identity Manager 2016

About this book

Microsoft Identity Manager 2016 is Microsoft’s solution to identity management. When fully installed, the product utilizes SQL, SharePoint, IIS, web services, the .NET Framework, and SCSM to name a few, allowing it to be customized to meet nearly every business requirement.

The book is divided into 15 chapters and begins with an overview of the product, what it does, and what it does not do. To better understand the concepts in MIM, we introduce a fictitious company and their problems and goals, then build an identity solutions to fit those goals. Over the course of this book, we cover topics such as MIM installation and configuration, user and group management options, self-service solutions, role-based access control, reducing security threats, and finally operational troubleshooting and best practices.

By the end of this book, you will have gained the necessary skills to deploy, manage and operate Microsoft Identity Manager 2016 to meet your business requirements and solve real-world customer problems.

Publication date:
July 2016
Publisher
Packt
Pages
692
ISBN
9781785283925

 

Chapter 1. Overview of Microsoft Identity Manager 2016

Microsoft Identity Manager 2016 (MIM 2016) is not one product but a family of products working together to mitigate challenges regarding identity management. In this chapter, we will discuss the MIM family and provide a brief overview of the major components available. The following diagram shows a high-level overview of the MIM family and the components relevant to an MIM 2016 implementation:

Within the MIM family, there are some parts that can live by themselves and others that depend on other parts. To fully utilize the power of MIM 2016, you should have all the parts in place, if possible. At the center, we have MIM Service and MIM Synchronization Service (MIM Sync). The key to a successful implementation of MIM 2016 is to understand how these two components work—by themselves as well as together.

 

The Financial Company


The name of our fictitious company is The Financial Company. The Financial Company is neither small nor big. We will not give you any indication of the size of this company because we do not want you to take our example setup as being optimized for a company of a particular size, although we will provide some rough sizing guidelines later.

As with many other companies, The Financial Company tries to keep up with modern techniques within their IT infrastructure and is greatly concerned with unauthorized security issues. They are a big fan of Microsoft and live by the following principle:

If Microsoft has a product that can do it, let's try that one first.

The concept of cloud computing is still somewhat fuzzy to them, and they do not yet know how or when they will be using it. They do understand that in the near future, this technology will be an important factor for them, so they have decided that for every new system or function that needs to be implemented, they will take cloud computing into account.

 

The challenges


During a recent inventory of the systems and functions that their IT department supported, a number of challenges were found. We will now have a look at some of the identity management (IdM)-related challenges that were uncovered.

Provisioning of users

The Financial Company discovered a new employee or contractor may wait up to a week before accounts are provisioned to the various required systems, and the correct access is granted to each person to do his/her job. The Financial Company would like account provisioning and proper access granted within a few hours.

The identity life cycle procedures

A number of identity life cycle management issues were found.

Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or after they changed their job. The termination and disabling of identities was also sometimes missed. A security review found active accounts of users who had left the company more than six months ago.

The security review found one HR consultant who had left The Financial Company months ago that still had VPN access and an active administrative HR account. The access should have been disabled when the project was completed and the consultant's contract had ended.

The Financial Company would like a way of defining identity management policies and a tool that detects anomalies and enforces their business policies. The Financial Company would like business policy enforcement to take no more than a few hours.

Highly privileged accounts (HPA)

The Financial Company has been successful in reducing the number of powerful administrative accounts over the last few years; however, a few still exist. There are also other highly privileged accounts and a few highly privileged digital identities, such as code signing certificates. The concern is that the security of these accounts is not as strong as it should be.

Public key infrastructure (PKI) within The Financial Company is a one-layer PKI, using an Enterprise Root CA without hardware security module (HSM). The CSO is concerned that it is not sufficient to start using smart cards because he feels the assurance level of the PKI is not high enough.

Password management

The helpdesk at The Financial Company spends a lot of time helping users who have forgotten their password. Password resets are done for internal users as well as partners with access to shared systems.

Traceability

The Financial Company found that they had no processes or tools in place to trace the status of identities and roles historically. They wanted to be able to answer questions such as:

  • Who was a member of the Domain Admins group in April?

  • When was John's account disabled, and who approved it?

 

The environment


The following diagram gives you an overview of the relevant parts of the current infrastructure within The Financial Company:

The diagram does not represent any scaling scenarios but rather shows the different functions we will be using in this book.

In the following table, you will find a short summary of the systems involved:

System

Usage

Products installed/to be installed

DC

This is the domain controller for the Active Directory domain thefinancialcompany.net.

The AD DS and DNS roles need to be installed.

CA

This is the Enterprise Root CA. The Financial Company uses only a one-layer PKI without any HSM.

AD CS, including the Web Enrollment role, needs to be installed.

SQL

The central Microsoft SQL server is used by many systems. Among these systems are the HR and Phone systems.

SQL Server 2014, including Integration Services, needs to be installed.

TFCEX01/02

This is the e-mail system.

Exchange 2013 needs to be installed.

TFCMIM02

This is the test and development server for MIM.

SQL Server 2014 and Visual Studio 2013, along with MIM Sync, Service, and Portal, need to be installed.

TFCSYNC01/0

This is the MIM Synchronization server.

MIM Synchronization service.

TFCMIM01

This is the MIM Web Service and Portal server.

MIM Service and MIM Portal need to be installed.

TFCCM01

This is the MIM Certificate Management server.

MIM CM Service and Portal need to be installed.

TFCSSPR01

This is the MIM Password Registration and Reset server.

MIM Password Registration and Reset need to be installed.

TFCSCSM-MGMT01

This is the SCSM Management server used by MIM Reporting.

SQL Server 2014 and System Center Service Manager need to be installed.

TFCSCSM-DW01

SCSM Data Warehouse server used by MIM Reporting.

SQL Server 2014 and System Center Service Manager need to be installed.

All systems have Microsoft Windows Server 2012 R2 as the operating system.

The products installed or to be installed show the status of the systems when we start our journey in this book. Details about the features and products already installed will be explained in Chapter 2, Installation.

The Active Directory domain within The Financial Company is thefinancialcompany.net, which uses TFC as the NetBIOS name. The public domain used by The Financial Company is thefinancialcompany.net; this is also the primary e-mail domain used.

 

Moving forward


The CIO, CSO, and CTO of The Financial Company found that the solutions explained to them by the identity management company would indeed help mitigate the challenges they were facing. They decided to implement MIM 2016.

In this book, we will follow The Financial Company as it implements MIM 2016. We will take a look at how the different features and functions of MIM 2016 will, in the end, solve all the issues that the company detects.

The use of digital identities through smart cards is very new to them, so they decided that this should initially be implemented as a proof of concept.

 

The history of Microsoft Identity 2016


In 1999, Microsoft bought a company called Zoomit, which had a product called VIA, a directory synchronization product. Microsoft incorporated Zoomit VIA into the product known as Microsoft Metadirectory Services (MMS). MMS was only available as a Microsoft Consulting Services solution.

Microsoft released Microsoft Identity Integration Server (MIIS) in 2003, which was the first publicly available version of the synchronization engine we know today as MIM 2016 Synchronization Service.

In 2005, Microsoft bought a company called Alacris. Alacris had a product called IdNexus that managed certificates and smart cards, which Microsoft renamed Certificate Lifecycle Manager (CLM).

Microsoft took MIIS (now with Service Pack 2) and CLM and consolidated them into a new product in 2007 called Identity Lifecycle Manager 2007 (ILM 2007). ILM 2007 was a directory synchronization tool with the optional certificate management feature.

In 2010, Microsoft released Forefront Identity Manager 2010 (FIM 2010). FIM 2010 added the FIM Service component, which provides workflow capabilities, self-service capabilities, and a codeless provisioning option to the synchronization engine. Many identity management operations that used to require a lot of coding were suddenly available without a single line of code.

Microsoft announced the acquisition of some of the BHOLD suite in 2011, which is a product that provides identity and access governance functionality. A year later, in 2012, FIM 2010 R2 was released, reporting was added, BHOLD and additional browser support for Password Reset Portal were incorporated, performance was improved, and better troubleshooting capabilities were introduced. Support for Active Directory 2012, SQL Server 2012, and Exchange 2013 was added with FIM 2010 R2 Service Pack 1, which was released in 2013.

Components at a glance

Let's take a look at the major components of MIM in the following table:

Component

Description

Details

MIM Synchronization Service, Sync Engine, or MIM Sync

This is the Windows service that handles identity and password synchronization between systems.

The MIM component is required. It uses the SQL database to store its configuration and configured identity information.

MIM Portal

This is the IIS website that can be used for administrative management and user self-service.

It uses SQL database to store its schema, policies, and identity information. This is required for codeless provisioning.

MIM Service

This is the Windows service that provides MIM Portal with web APIs.

It is an optional MIM component. This is required if you want to deploy MIM Portal or the self-service password reset.

BHOLD

This is the suite of services and tools that integrates with MIM and enhances its offerings by adding RBAC, attestation, analytics, and role reporting.

This is an optional MIM component. It uses the SQL database and IIS and is a required component if you want RBAC.

Reporting

Adds new tables and the SQL agent job to allow SCSM to interact with MIM Service to produce historical reports.

This is an optional MIM component. It uses SQL Server Reporting Service, SCSM, and Data Warehouse.

 

MIM Synchronization Service


MIM Synchronization Service is the oldest member of Microsoft's identity family. Anyone who has worked with MIIS 2003, ILM 2007, FIM 2010, or MIM 2016 will find the MIM synchronization engine very similar. Visually, the management tools look the same. MIM Synchronization Service can work by itself without any other MIM component installed, although not all product features are possible using only MIM Synchronization Service.

MIM Synchronization Service is like a heart that pumps identity data between systems. Identity data could be a new user account, an update to someone's department, an updated member of a group, the modification of a contact, and so on. Synchronization is sometimes referred to as data flowing from one system to another, and this is a good way to think of it.

We will explore the MIM Synchronization Service features and dive deeper into why the MIM Synchronization Service is such a powerful tool when leveraged with the rest of the identity management stack.

 

MIM Portal and Service


MIM Portal is usually the starting point for administrators who configure the MIM Service because of its SharePoint recognizable web components. MIM Service has its own database, in which it stores information about the identities it manages. MIM Portal is the way to make changes to these identities, which can trigger changes in other connected systems.

MIM Service plays many roles in MIM, and during the design phase, the capabilities of MIM Service are often in focus. MIM Service allows you to enforce the Identity Management policy within your organization and also makes sure you are compliant at all times.

MIM Portal can be used for self-service scenarios, allowing users to manage some aspect of the Identity Management process. For example, the self-service password reset is only possible after you deploy MIM service.

MIM Portal is actually an ASP.NET application using Microsoft SharePoint as a foundation, and can be modified in many ways. MIM Service adds custom activities around the MIM and cloud integration story.

The configuration of MIM Service is usually done using MIM Portal, but it may also be configured using PowerShell or even your own custom interface.

 

MIM Certificate Management


Certificate Management is an optional MIM component. MIM CM can be, and often is, used by itself without any other parts of MIM being present. It is also the component with the poorest integration with other components.

You will find that it hasn't changed much since its predecessor, Certificate Lifecycle Manager (CLM), was released.

MIM CM is mainly focused on managing smart cards, but it can also be used to manage and trace any type of certificate requests. This also includes machine certificates, but there is a slight limitation when we move to machine certs. FIM CM was developed around the user context.

The basic concept of MIM CM is that a smart card is requested using the MIM CM portal. Information regarding all requests is stored in the MIM CM database.

The certification authority, which handles the issuing of the certificates, is configured to report the status back to the MIM CM database.

The MIM CM portal also contains a workflow engine so that the MIM CM admin can configure features such as e-mail notifications as a part of the policies.

In MIM, we add new features, which include the modern app for Windows. Also, a new REST API will be introduced, which we will explore and configure in conjunction with the modern app with MIM CM.

During the configuration, we'll explore the authentication and authorization settings in more detail. This will enable you to fully understand the permission model around MIM CM that is required.

 

Role-Based Access Control (RBAC) with BHOLD


BHOLD is one of the newest members of MIM and was introduced in Forefront Identity Manager 2010. The acquisition helped customers implement and overcome compliance issues, IT security issues, operational fantasy, and business agility. One of the benefits of BHOLD is that we can easily define and manage access-based user roles that also regularly ensure that access rates are maintained. Also, the integration between BHOLD and FIM enables users with a self-service access request and approval process.

The BHOLD suite encompasses its own reporting analytics, which is the model generator to define working with roles. We will dive into the attestation engine's core role within BHOLD and deployment scenarios. In all these components, the BHOLD core is required. In the coming chapters, we will discuss and touch upon what all of these available suites do and the capability they bring to your organization.

 

MIM Reporting


Reporting was brand new to FIM and added the capability to audit users and groups via completed MIM Portal requests. This MIM component provides integrated reporting with System Center Service Manager as the main engine.

The purpose of Reporting is to give you a chance to view historical data. There are some reports already built into MIM 2016, and organizations also have the option to develop their own reports that comply with their Identity Management policies.

In Chapter 13, Reporting, we will discuss how Reporting works, the main components involved, and how you can create custom reports.

 

Privilege Access Management


Privilege Access Management (PAM) provides the ability to defend against particular vulnerabilities, such as "pass-the-hash", spear-phishing, and other hacking techniques that attempt to gain high privileges across the enterprise. PAM integrates with Active Directory to apply an expiration to group membership. That is to say, the membership of a highly privileged (and organizationally chosen) group is automatically removed by Active Directory after a specified duration. MIM adds self-service request capabilities, allowing users who are granted the permission to request the membership of a group to receive membership for a specified time. The end result is that people no longer need the permanent membership of highly privileged groups.

 

Licensing


We will put this part in here, not to tell you how MIM 2016 is licensed but rather to tell you that it can be complex. Depending on which parts you are using—and, in some cases, how you are using them—you need to buy different licenses. MIM 2016 will continue to use both Server licenses and Client Access Licenses (CALs).

In almost every MIM project, the licensing cost has been negligible compared to the benefit of implementing it (for example, adding up the operational cost of provisioning a single user or resetting a password while considering typos, the accounts not done on time, or those left active that should have been disabled). There are strong reasons for having identity management in every business, and if you are reading this book, we would expect you to have already come to the conclusion that identity management will save you money. But even so, make sure you contact your Microsoft licensing partner or your Microsoft contact to clear any questions you might have about licensing.

Also, note that at the time of writing this book, Microsoft has stated that you can install and use Microsoft System Center Service Manager for MIM Reporting without having to buy SCSM licenses.

Read more about MIM Licensing at http://aka.ms/MIMLicense.

 

Summary


The Financial Company will reduce the new employee account provision time by implementing MIM 2016. MIM 2016 will be used to terminate and disable accounts, manage roles, groups, and secure HPA. Empowering end users to perform self-service password resets will reduce helpdesk calls. You now know a little about the company we will be using in this book to explain concepts. We have outlined the bit of the history of how the product evolved and an overview of each component.

As you can see, Microsoft Identity Manager 2016 is not just one product but a family of products. We gave you a short overview of the different components, new and old, and together, we will go through the challenges of The Financial Company and implement some solutions.

For those who have worked with the previous versions of Microsoft Identity Manager 2016, you will see that the platform has not changed much other than a few additional features and platform-supported items. Still, we will explore the components that have been around for years and provide information you may have missed.

In the next chapter, we will look at how to install and configure some of the MIM components. We will then dig into the component details. In some areas, we will go deeper than others because we feel there is a lack of good material on the topic. There is a lot of material to cover, and at one point, we needed to make a judgment call on what would help the largest amount of people while keeping the book at a reasonable size.

About the Authors

  • David Steadman

    David Steadman has been an IT industry influencer and dedicated husband for more than 17 years. He has held prestigious positions at some of the world's most innovative technology companies, including his service as a senior escalation engineer within the identity platform at, possibly, the most famous tech company on the planet, Microsoft. He is an entrepreneur, active learner, and a man constantly looking to develop and expand new skills in order to leverage the technology of the future. When not at his job, David enjoys family time and coaching soccer.

    Browse publications by this author
  • Jeff Ingalls

    Jeff Ingalls is a husband, father, and cancer-surviving dyslexic who works out of his Ohio home office in identity and access management. Jeff has been working with Microsoft technologies for over 20 years and with the Microsoft identity software since its conception in 2003. He has provided solutions to various private and public sectors including automotive, DoD, education, health and services, small businesses, and state and local government. He enjoys learning, teaching, and learning some more. Jeff has a graduate degree in information technology and an undergraduate degree in mathematics. In his free time, he enjoys spending time with his family, cooking, and reading non-fiction. You can reach him at [email protected].

    Browse publications by this author

Latest Reviews

(11 reviews total)
It’s a well written, excellent reference for anyone wanting to deploy MIM for the first time or if you need a refresher on a 2nd deployment.
The process to purchase the book was quick and the shipping was quick too. I was surprised how fast I received the book, but am glad I went through Packt. Thank you!
Was able to download the books instantly. Wished I would have known about the foreign transaction fees my credit card charged me. Didn't know Packt was outside the US.
Microsoft Identity Manager 2016 Handbook
Unlock this book and the full library FREE for 7 days
Start now