MIM is a key player in the on-premises identity management scene. Let’s explore how it works, the benefits of using it, its relationship with the Cloud, and what lies ahead.
With the world increasingly heading towards the Cloud, you may find yourself wondering what use you have for a predominantly on-premises identity management solution – and whether it’s still worth investing in.
In this blog, I’ll provide answers to the most commonly asked questions around Microsoft Identity Manager, including what it is, how it works, how it came to be, and where it’s headed.
MIM is an identity management solution that enables your organisation to simplify identity lifecycle management with automated workflows, business rules, and easy integration with heterogeneous platforms across the datacentre.
MIM allows an organisation to have the correct users and access rights for Active Directory and on-premises business applications.
By leveraging Azure AD Connect, this information can be made available in Azure AD for Microsoft 365 and cloud-hosted apps to use.
MIM consists of several related components:
Common MIM scenarios include:
Automatic identity and group provisioning based on business policy and workflow-driven provisioning.
Integration of the contents of directories with HR systems and other sources of authority.
Synchronising identities between directories, databases, and on-premises applications through common APIs and protocols, using both Microsoft- and partner-delivered connectors.
MIM has come a long way from its origins as Zoomit’s VIA, the most widely deployed metadirectory product of the late-90s. Once acquired by Microsoft in ‘99 – and a whole series of subsequent technology acquisitions, mergers and changes later – the product that would become MIM emerged in 2007 as Identity Lifecycle Manager (ILM).
Three years later, the long-awaited release of ‘ILM 2’ appeared as Forefront Identity Manager (FIM). FIM brought a human element to identity management by adding a web-based portal for configuration, administration, and self-service. Admins could now enable self-service password reset, manage groups, and trigger actions based on the passage of time.
“MIM’s development has been a gradual evolution, rather than a revolution.”
In 2016, FIM became MIM. This change refreshed the product’s supported platforms (latest Windows, SQL, SharePoint, etc.). This meant that hybrid scenarios could now be supported, such as the use of MFA, a Microsoft Graph connector, and integration with Office 365.
A new Privileged Access Management (PAM) component was introduced to help secure the corporate Windows environment by granting elevated rights to users on a ‘just in time’ and ‘just enough access’ basis.
Along the way, we have also seen the addition of a MIM reporting component, and a role management component called bHold (from another acquisition). bHold is like the mad uncle that nobody talks about, and Microsoft does not support any new deployments.
MIM’s development has been a gradual evolution, rather than a revolution. But the synchronization engine at MIM’s core has remained largely unchanged throughout – providing a consistent, robust, flexible, and extensible platform for managing identities across heterogeneous platforms and business applications (too numerous to count).
When dealing with multiple on-premises applications or identity directories, MIM can automate the provision, deprovision, and access management of all users (and groups) across the enterprise.
Using its rules-based synchronisation engine, MIM can ensure that any changes made in source objects are replicated automatically to target platforms.
If transformation of the data is required, then through built-in functions or via the open-ended add-in extension functionality, MIM can be configured to cater for almost any identity management scenario.
Deployment of MIM can remove or reduce the reliance on ad-hoc user management scripts, or manual processes currently in use in your organisation.
Coupled with Azure AD Connect sync, MIM provides a powerful solution for onboarding complex on-premises identity environments to Microsoft 365 and other Azure-hosted applications.
View 'Microsoft identity stack demos: Overcoming typical challenges when setting up new user' and learn about:
At the centre of the MIM Synchronization Service is the metaverse. This can be thought of as the single source of truth in the system, where connected authoritative systems can contribute different attributes and different target systems can consume them.
Information is synchronised between the metaverse and connected systems via connector spaces, and rules are configured to determine how that synchronisation is performed.
Rules extensions can be applied at many different stages during the import, synchronisation, and export processes, allowing complete customisation of the solution.
“The implementation of an identity management solution – or a different identity management solution – is an opportunity to step back, analyse, and then simplify things.”
This flexibility can be something of a double-edged sword.
Some organisations simply seek to replace manual processes. Others try to recreate their existing identity management solution that has become something of a Frankenstein’s monster, with bits added here and there. These additions are often undocumented and applied without effective change management.
Although MIM allows you to do this, all it would achieve is the ability to make a bad process, that nobody fully understands, run faster.
Ideally, the implementation of an identity management solution – or a different identity management solution – is an opportunity to step back, analyse, and then simplify things.
If your identity management journey is ultimately heading for the Cloud, then I suggest it’s useful to start that thought process sooner rather than later.
It’s important to understand that MIM is a state-based synchronisation engine. It imports data from connected systems and infers any changes by comparing it with existing data.
These may be changes that have been made in the connected system itself or changes that MIM has exported to a connected system and is now confirming have been successfully applied. MIM may accept changes made in a target system or may back them out depending on the rules you have configured.
MIM stores state information in the form of holograms (binary data structures in the connector space). By comparing holograms from different steps in the process, it can decide whether data needs to be synchronised.
This approach makes for a very robust synchronisation process. In general, connected systems that you wish to manage with MIM do not themselves have to be modified to allow MIM integration to happen.
MIM can connect to APIs, databases, directory services (i.e., LDAP) or even flat files (CSV, AVP etc.) – and it’s unlikely that your target application won’t support one of those methods.
The MIM Portal provides a human interface into the identity management system. It allows scenarios to be constructed for delegated administration and self-service, as well as the development of workflows and the configuration of other features such as dynamic group management.
The portal can also be used to configure the Synchronization Service by defining declarative rules (rules defined in the Synchronization Service itself are referred to as classic rules). However, not all the extension points of the Synchronization Service have a declarative option, so we tend to stick with classic rules for consistency whenever possible.
All access to the MIM Portal and the assignment of permissions are defined in Management Policy Rules (MPRs), as are the triggers for workflows, be they for notifications, approvals, or actions. MPRs work with sets of requestors and resources, allowing permissions to be granted at an extremely granular level.
MIM requires a server licence for any server running a MIM component. MIM server licenses are included with the Windows Server licence.
Any MIM components other than the Synchronization Service also require client access licenses (CALs). There are several ways of acquiring these, including through your Azure Active Directory licensing.
Navigating Microsoft licensing can be a bit daunting, so speak to your Microsoft account manager for more info or get in touch with us if you need help.
SharePoint licenses are also required for the MIM Portal as the portal is a SharePoint Application.
Discover how Azure AD can secure your employee identities while providing seamless access to the apps and resources they need. We'll show you how to:
Whereas MIM enables the organisation to have the right users and access rights for Active Directory and on-premises business applications, it’s Azure AD Connect sync that makes those users available in Azure Active Directory for Microsoft 365 and cloud-hosted apps.
MIM and Azure AD Connect sync share a common heritage that becomes apparent once you get under the hood. Azure AD Connect sync has the same Synchronization Service Management Console and the individual management agents can be seen. Just like in MIM.
“Many organisations use MIM to gather all their identities into one master on-premises Active Directory which is then synchronised to Azure.”
Beyond that, they are quite different. The most obvious difference is the way they are configured. Azure AD Connect sync is primarily configured through a wizard, while MIM uses either its classic rules and extensions via Visual Basic / C# or through declarative rules and workflows defined in the MIM Portal.
Azure AD Connect sync also performs password hash synchronisation between on-premises Active Directory and Azure AD, as well as providing the on-premises agent that is used by other services such as cloud HR provisioning.
Azure AD Connect sync has a limitation in that it can only synchronise one on-premises directory per Azure AD instance.
As a result, many organisations use MIM to gather all their identities into one master on-premises Active Directory which is then synchronised to Azure. In this scenario, MIM and Azure AD Connect sync complement each other well.
A few years ago, rumours of the imminent demise of MIM started to swirl around our “IdM” world – and Microsoft did little to counter them.
The outlook (no email-related pun intended) was bleak. Microsoft’s focus was clearly in the Cloud and elements of MIM have gradually been replicated in Azure, e.g. self-service password reset, self-service requests to join groups, and the provisioning of identities into downstream SaaS applications.
More recently, the development of cloud HR provisioning apps in Azure has meant that potentially any organisation can provision accounts for users based on their HR data without going through MIM. Provided their HR system is Workday or SuccessFactors (at the time of writing), of course, but you can see where this is heading.
“MIM will continue to be supported for hybrid organisations beyond the currently published end-of-mainstream support date.”
All this is great, and I’m a big fan, but MIM still has a valuable role to play. Many organisations still have a very large on-premises infrastructure with many diverse and often unique requirements and that won’t change any time soon.
This isn’t an “either/or” situation and Microsoft has now recognised that. Although it won’t affect its strategy, it has acknowledged that MIM will be essential to many organisations for quite some time.
In view of this, it has announced that MIM will continue to be supported for hybrid organisations beyond the currently published end-of-mainstream support date (February 2021 at the time of writing).
Support, and even new features, can be requested via the Azure Portal. When asked if the support lifetime will be extended, we get the cryptic reply, “wait and see”.
If there’s one message to take away, it’s this: if you have a requirement that can best be solved by MIM today, then deploy MIM.
You’re probably already covered for MIM licenses – depending on the components you need – either through your Windows or Azure licenses (but please check).
If your requirement can be addressed from the Cloud in the future, then that’s fine – you can look to make the move when that time comes.
Remember that half the battle here is understanding your processes, your requirements, your users, and your data. The technology is probably the easy bit.
Keep your finger on the pulse of identity management and Microsoft technology. Get the latest content and event invites straight to your inbox.
Matt joined ThirdSpace as an Architect in 2020, with a particular focus on identity solutions. With nearly 30 years of industry experience, working for clients as diverse as banks, broadcasters, insurance providers and government departments, there are very few challenges that he has not seen before.
READ AUTHOR'S FULL BIO
We'd love to hear from you! Our friendly team can be reached Monday through Friday, from 9am to 5pm.Contact Us
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.