Upgrading from FIM to MIM – a user’s guide
Updated Winter 2021
With Microsoft Identity Manager 2016 (MIM), Microsoft brings both continuity and innovation to their on-premises identity management platform. In this blog, I summarize the impact that MIM will have on existing users of FIM 2010, including the new features in Service Pack 2 for MIM and guidance on deprecated features.
MIM 2016 was launched to bring innovation to on-premises identity management and to offer continuity to those who had already invested in Forefront Identity Manager (FIM).
Five years on, organization still using FIM continue to come to Oxford Computer Group for help with MIM upgrades. Everything from complete planning, implementation, and deployment services to MIM training courses from our sister company Oxford Computer Training.
Most organizations want to be using software which is supported by the manufacturer, and therefore having an eye on the limits of support is important:
- FIM 2010 R2 is supported until 11th October 2022 (learn more).
- MIM 2016 R2 is supported until 13th January 2026 (learn more).
- If your organization is using Azure AD Premium, specific Azure-related support is also available (learn more).
- For those users still using SharePoint Server 2010 underneath the FIM Portal, support for this expires on 13 April 2021 (learn more).
- SharePoint Foundation 2013 support expires on the 11 April 2023 (learn more).
Upgrading from FIM to MIM: Requirements
The minimum supported starting version for the upgrade directly to MIM 2016 SP2 is FIM R2 SP1, build 4.1.3419.0. If you have not yet reached this patch level in FIM, you will need to update before the upgrade to MIM. And, by the way – you should patch anyway!
With the original version of MIM 2016 SP2, build 22.214.171.124, some customers experienced problems with their SharePoint-based MIM Portals after installing a SharePoint update in September 2020, and so we were advising upgrades to SP2 only with some caution. These problems have been fixed in the latest hotfix 4.6.359.0 (here), which is therefore highly recommended.
Microsoft has a focus on protecting customers’ investments: the FIM solutions deployed must continue to work. Thus, continuity is an important theme.
An updated list of FIM features which are deprecated (i.e. which will not be supported in a future version of the product) is provided by Microsoft here. This is an update to the original list from 2017.
The only deprecated features that have been removed in practice are a handful of obsolete Management Agents (Notes, SAP R/3 and FIM CM) which have new, modern alternatives in SP2 (see below). The exception is the Management Agent, which offers integration for FIM Certificate Management (CM) and which has no replacement. If you are using these agents, you will need to plan the implementation of a replacement MA, if available, or (for CM) a different approach to propagate lifecycle triggers to the CM components (via Workflows, for example). Apart from this, our experience is that the upgrade to MIM 2016 from FIM 2010 R2 does not cause any significant problems with existing implementations.
Note on Moving to the Cloud
We should not neglect to mention the Cloud. Microsoft is famously committed to a cloud-first strategy, and Microsoft’s capability in the cloud is a leading one (see here). The identity synchronization features both in the Azure AD Connect (on-premises) product, as well as in the Azure AD Cloud Connect capability, are familiar to those who use FIM and MIM, providing a clear path to the future for those who wish to move some or all identity management capabilities to the cloud. On-premises systems are going to remain a fact of life for many organizations for a while to come, so the capability to manage identities and access for those systems remains a critical one, and MIM components (and related capabilities from Microsoft) provide essential services for this activity.
A seemingly trivial change is that Microsoft is moving away from the term “Management Agent,” and is starting to use “Connector” to refer to the data transfer components of the synchronization service. There is already the concept of a “Connector” in FIM (and MIM), namely an object in a connector space which is connected to a metaverse object. This ambiguity will not really be a problem (the context should make the meaning clear) but care should be taken when using the term “connector.” The main reason, however, that I mention this here is that if you are searching for content concerning Management Agents for MIM, you will need to search for “MIM Connectors.”
As mentioned above, the connectors for SAP R/3 (BAPI-based) and Lotus Notes (v6.5 and 7) are no longer available. They have been replaced by the Web Services-based SAP connector and the Lotus Domino connectors which are fully supported by Microsoft. For more information on the connectors available in MIM, see here. It is worth noting that these connectors are regularly updated, most recently on November 11, 2020, and this information will help you stay up to date.
MIM 2016 SP2
MIM 2016 SP2 is an in-place upgrade to FIM 2010 R2 SP1, provided you have the slipstreamed installation media for MIM 2016 SP2 (i.e. the full MIM product with SP2 already integrated into it). This in-place capability eases the upgrade process; of course, the usual precautions for testing and possible rollback will need to be taken. Note that the client components (password reset client, certificate management client) will need re-installation on upgrade from FIM to MIM. Given the need to test a new configuration, it is also a good time to plan the move away from any deprecated or unsupported features which you may have carried over from a FIM (or even ILM) implementation.
The licensing of the MIM components is the same as for FIM – as of April 2015, the license for FIM Server Components has been included in the Windows Server license (Standard and Datacenter), which means that there is no additional charge for deploying FIM or MIM servers. This can represent a significant saving. Client Access Licenses are still required for solutions which contain more than synchronization, be it portal, password reset, certificate management and/or RBAC activity. These are available as a specific SKU or bundled with various Cloudy licenses such as Azure Active Directory Premium (AADP) and Enterprise Mobility + Security (EMS). For FIM users without Software Assurance, it is worth looking at the Azure AD Premium and EM+S licenses before simply purchasing new MIM licenses – Oxford Computer Group and Oxford Computer Training are happy to advise customers about such potential solutions! (Read about MIM licensing here.)
Support for the MIM portal running on SharePoint 2019 arrived with MIM 2016 SP2. There is no license-free version of SharePoint 2019, so you will need such licenses if you wish to run MIM portal on the newest SharePoint platform. If you don’t want to purchase licenses for SP2019, SharePoint Foundation 2013 is still supported, although the implementation on modern server platforms is tricky. For a MIM portal replacement which does not use SharePoint components at all (and therefore saves the SharePoint implementation and licensing costs) you might be interested in IdentityDirector (www.identitydirector.com), from our colleagues at Oxford Computer Group in Austria.
Browser and Platform Support
MIM 2016 SP1 brought much-needed support for modern platforms, and the support of the latest platforms continues with SP2. Browser support is extended compared with FIM, so that not only Internet Explorer is supported. With MIM 2016 SP2, the portal is also supported on Edge, Chrome and Safari, opening usage scenarios based on non-Windows devices.
Microsoft also added support for modern server and client platforms. For example, MIM 2016 SP2 is supported on Windows Server 2019, as well as SQL Server 2019, Exchange Server 2017, and System Center Service Manager 2019 for reporting. There is also a Certificate Management client for Windows 8.1 and Windows 10 devices which supports Virtual Smartcards.
As noted above, the MIM 2016 SP2 portal is supported on SharePoint 2019.
With SP2 we are able to use group managed service accounts for the core MIM services for the first time, as well as the web sites underlying the three portals (MIM Portal, SSPR Registration and SSPR Reset). In addition, we now have the option to install in an environment where only TLS 1.2 is permitted.
Privileged Access Management
Many documented attacks on corporate networks used stolen admin credentials to create backdoors. These backdoors are then used to steal data over a long period of time.
In response to this threat, Microsoft invested in a new set of features on the MIM platform. Privileged Access Management involves building a highly protected administrative forest (an Enhanced Security Admin Environment, or ESEA) in which all admin activity takes place away from the (probably) infected corporate forest. The primary motivation here is to minimize the ability of an attacker to access the cached credentials of an administrator. Administrators are partitioned into a separate secure forest, and the time in which the users themselves are administrators is minimized. MIM SP2 does not make significant changes to the PAM functionality.
Microsoft has updated guidance on the use of an ESEA, which refers to the high cost of such an environment and makes it clear that there are better ways of providing similar security benefits at a lower cost. Microsoft themselves still use the ESEA architecture, so it is not completely obsolete. You do have to be aware of the cost/benefit calculation which applies to your environment. More about this updated guidance here.
Oxford Computer Group has experience implementing PAM and can provide guidance before and during a PAM implementation. Contact OCG here. Oxford Computer Training offers a one-day PAM training course – see the course outline here.
Microsoft is continuing to invest in MIM as a general platform for the implementation of custom solutions. FIM 2010 delivered a portal solution based on a web service – and OCG has developed both complementary and replacement solutions based on this web service (for example, our customized MIM Portal, and our identity solutions for mobile phones). MIM delivers even more web services to enhance our ability to build solutions:
- Web Service for Certificate Management
- Web Service for Privileged Access Management
These are REST web services which allow developers to integrate identity and access processes into their solutions.
MIM 2016 SP2 conserves your investment in FIM solutions, while offering new functionality to address emerging challenges.
Oxford Computer Training offers technical training on MIM, Azure and other identity-related technologies and topics.
Oxford Computer Group offers a range of consulting services to support you in your move to MIM 2016, from identity and security workshops to planning, implementation, and deployment support for Privileged Access Management, Role-based Access Control, and more.
- See deprecated FIM features go here.
- For available MIM connectors go here.
- To learn more about licensing go here – sadly this is slightly old and contains broken links, but it is the best summary of licensing of FIM and MIM from Microsoft currently available!
- Finally, be sure to read my very popular blog Microsoft Identity Manager – MIM – 2016 Service Pack 1.