FIM to MIM migration: What you need to know

What does that mean for organisations who rely on the system to manage users’ digital identities and credentials?

Now that withdrawal of mainstream support has been announced, FIM to MIM migration has gone from being a recommended course of action to an essential one. Here’s an overview of everything that current FIM users need to know about this upcoming change.

What is happening with FIM support?

According to the Microsoft product lifecycle site, mainstream support for FIM 2010 R2 SP1 is due to end on October 10 2017.

To enable continuous improvement of Microsoft software, updates and fixes are created and released as a single package (called a service pack) that is made available for installation. When a new service pack is released, Microsoft provides either 12 or 14 months of support for the previous service pack.

When support for a service pack ends, Microsoft no longer provides new security updates, DST updates, or other non-security updates for that service pack. Customers are highly encouraged to stay on a fully supported service pack to ensure they are on the latest and most secure version of their product.

Note that extended support is due to end on October 11 2022. For definitions of mainstream support, extended support and self-help online support, see here: https://support.microsoft.com/en-us/help/14085. Note that support for FIM 2010 R2 ended on April 8 2014.

What impact will the end of FIM support have on organisations using FIM for their identity management?

Unless the organisation pays Microsoft for extended support after October 10 2017, only security updates will be issued. Also, if you have a support contract with a Microsoft Partner such as OCG, they will be unable to assist with non-security related issues caused by bugs in the product. There have been no hot fixes for FIM since MIM SP1 was released.

So what are the options?

Well, you can either pay Microsoft for the extended support to keep them updated until 2022. Alternatively, you can upgrade your IAM system by migrating from FIM to its replacement, Microsoft Identity Manager (MIM), which was released in 2016.

What is Microsoft Identity Manager (MIM)?

Microsoft Identity Manager (MIM) 2016 builds on the identity and access management capabilities of FIM 2010 R2, helping you to manage the users, credentials, policies and access within your organization.

Additionally, MIM 2016 adds a hybrid experience, privileged access management (PAM) capabilities, and support for new platforms.

None of this new functionality has been released in any FIM hot fixes. It is therefore only available with MIM.

What’s the difference between FIM and MIM?

A further case for FIM to MIM migration can be made in terms of the added benefits Microsoft’s more recent product provides. MIM 2016 works alongside Azure to give you control over your full environment. It retains the same familiar interface as FIM 2010 R2 SP1, but with the addition of:

• Hybrid reporting in Azure presents your cloud and on-premises data in one place.
• Self-Service Password Reset portal supports Azure multi-factor authentication (MFA)
• Self-service scenarios, which now include Account Unlock and multi-factor authentication gate for Password Reset
• Privileged Access Management (PAM) which controls and manages administrative access to on-premises resources, including Active Directory Domain Services, by providing temporary, task-based access.

This means you can give administrators only as much permission as necessary, which lowers the chances of a cyber attacker gaining full administrative access. In addition, PAM extracts and isolates administrative accounts from existing Active Directory forests.

The MIM 2016 Service Pack 1 improves further on MIM 2016 RTM by providing:

• MIM Portal cross-browser compatibility for end-user self-service: Microsoft has introduced support for most major browsers. Users may now access and interact with the MIM Portal for self-service group and profile management from Edge, Chrome, and Safari.
• MIM Service support for Exchange Online: the MIM Service has long supported sending and receiving emails for approvals and notifications. Prior to SP1, MIM only supported Exchange Server to SMTP. With SP1, the MIM Service can send and receive requests as well as email notifications using an Office 365 Exchange online account.
• Image file format validation on upload: MIM is now able to validate the file format of images when they are uploaded to the portal
• PAM Enhancements
  • “PRIV” (bastion) forest support for Windows Server 2016 functional level
  • Privileged account elevation into groups exclusive to the “PRIV” (bastion) forest
  • PAM Deployment Scripts
  • PAM Cmdlets for Authentication Policy Silo configuration
  • Upgraded platform support including Windows Server 2016, SQL 2016 and SharePoint 2016
  • Bug fixes for MIM 2016 RTM

• A new hot fix (4.4.1459.0) has been released for MIM 2016 SP1 which, as well as addressing some bugs, offers the following enhancements:
  • Support for SQL 2016 Always On Availability Groups
  • SSPR with Web Application Proxy
  • Support for SCSM 2016 for FIM / MIM Reporting
  • Support for FIMService Dynamic Logging
  • Support for CustomObject (ExplicitMember) Membership Management
  • Approval Justification Blog
  • Updated Support Platforms – note that Microsoft have confirmed that they have not correctly updated their website to reflect the newly-supported platforms yet, but are working on it

FIM to MIM Migration

Customers often ask us how long it would take to migrate from FIM to MIM. This varies considerably depending upon such things as the complexity of the FIM solution, how many environments (Dev, Test, Pre-Prod, Prod etc.) need to be updated, the number and type of Management Agents, and the risk assessment of the solution.

We have some clients who have upgraded within a few weeks, and some which take months of consulting, planning and project management effort to complete. One thing we strongly advise is that you don’t try and change any functionality at the same time as migration to MIM, otherwise troubleshooting will be adversely affected.

Customers also ask what would happen if they don’t migrate to MIM before mainstream support is withdrawn. In actual fact, usually nothing. Security updates will continue to be released until the end of extended support in 2022, but if you experience a problem caused by a bug in the product, it will not be addressed by Microsoft unless you have purchased extended support. Even then, per-incident charges may apply.

In summary, it’s a risk-based decision which you need to discuss with your business representatives.