FIM to MIM – a user’s guide
With Microsoft Identity Manager 2016 (MIM), the software giant brings both continuity and innovation to their on-premises identity management platform. For existing users of FIM 2010 this is good news, as Microsoft wants to protect its customers’ FIM investments: the FIM solutions already deployed must continue to work.
Microsoft has published a list of FIM features – here – which will not be supported in a future version of the product. No deprecated features are removed in MIM, so there is no reason to believe that an upgrade to MIM 2016 from FIM 2010 R2 will cause any problems with existing implementations. It will be an in-place upgrade which will ease the process, but all the usual precautions for testing and rollback should be taken. Client components will need to be re-installed.
The licensing of the MIM components is the same as for FIM. The licence for FIM Server Components has been included in the Windows Server licence (Standard and Datacenter), so there is no additional charge for deploying FIM or MIM servers. This can represent a significant saving. Client Access Licences are still required for solutions which contain more than synchronization (portal, password reset, certificate management and/or RBAC activity), and these are available as a specific SKU, or bundled with various cloudy licences such as Azure Active Directory Premium (AADP) and Enterprise Mobility Suite (EMS). For FIM users without Software Assurance, it is worth looking at the AADP and EMS licences before simply purchasing new MIM licences – OCG is, of course, happy to advise customers about such potential solutions! More about licensing.
Microsoft has added support for modern server and client platforms: MIM 2016 is supported on Windows Server 2012 R2 (in contrast to FIM 2010 R2), and there is a Certificate Management client for Windows 8.1 devices which supports Virtual Smartcards.
Privileged Access Management
Many documented attacks on corporate networks have been shown to have used stolen admin credentials to create backdoors, which are then used to steal data over a long period of time. In response to this threat, Microsoft has introduced a new feature in MIM: Privileged Access Management or PAM.
PAM minimizes the ability of an attacker to access the credentials of an administrator (by partitioning the admins into a separate secure forest) and the time in which the users themselves are administrators. This last point, summarized by the terms “Just-Enough-Admin” and “Just-In-Time Admin” involve pre-authorizing administrators for certain pre-defined administrative roles, and making sure that an admin’s user account has, by default, absolutely no administrative permissions. To allow the admins to do their job, the system allows the administrators to request a role on a limited-time basis when they actually need to use it. Each role can have a different Time-To-Live – so more security-sensitive roles can have a time limit measured in minutes, while other roles may be available for hours. At the end of the validity, the role will automatically be removed from the user, and they lose their administrative permissions.
A PAM implementation involves planning the secure forest, discovering the privileged accounts and privileged permissions in the existing environment, and populating the new forest with secure accounts and roles to represent these existing accounts and permissions. MIM contains tools to support this discovery and population activity. Once implemented, PAM will need to be monitored with tools to apply to the existing forest: for example, to check that the PAM-managed permissions are not assigned manually in the existing forest. Read more about PAM in our white paper, or get a day’s training,
Microsoft is continuing to invest in the product as a general platform for the implementation of custom solutions. FIM 2010 delivers a portal solution based on a web service – and we at Oxford Computer Group have developed both complementary and replacement solutions based on this web service (for example, our customized FIM Portal, and our identity solutions for mobile phones). MIM delivers even more web services to enhance our ability to build solutions:
- Web Service for Certificate Management
- Web Service for Privileged Access Management
These are REST web services which allow developers to integrate identity and access processes into their solutions.
MIM conserves your investment in FIM solutions, while offering new functionality to address emerging challenges.