Microsoft Identity Manager Service Pack 1

The first Service Pack (SP1) for Microsoft Identity Manager (MIM) 2016 has been released and I’ve been looking at a preview of it. It contains some important new functionality, which will be included in our training courses.

Please bear in mind that this is preview software, and is not intended for deployment in production!

Platform Support upgrades

MIM 2016 SP1 has been upgraded and can now be supported with the most up-to-date Microsoft platforms, including Windows Server 2016 and SQL Server 2016.

Hardened Security

The MIM Service accounts can now be configured to be part of Authentication Policies and Authentication Policy Silos. This means that you can configure limitations on authentication protocols supported, as well as the computers which can be accessed using these accounts. Because the service accounts have permissions to access (for example) the encryption keys and (thus) target system passwords in the synchronization service, and perhaps also to run scripts in a privileged context, theft prevention is important. By limiting the number of computers accessible, and perhaps by limiting the lifetime of the Kerberos TGT, you can reduce the attack surface presented by MIM itself.

Cross-Browser Support

For the first time since FIM 2010 was released, there is support for Firefox, Chrome, and Safari. This is great news as it is now possible to use MIM functions on iPads and other non-Microsoft platforms, where IE is not supported or permitted. This applies to the password portals as well as to the main MIM portal itself.

Support for Exchange Online

Until now, FIM and MIM could only use Exchange Online for notifications; approvals have required an on-premises Exchange server. With this Service Pack, it’s going to be possible to have the MIM Service monitor an Exchange Online mailbox for approval traffic, so that we no longer need to maintain Exchange on-premises to support MIM’s approval functionality.

Privileged Access Management (PAM) PowerShell Scripts

PAM is an existing security feature of MIM and we will be running a training course on PAM this summer. Deploying PAM involves installing a number of components in a high-availability configuration – and this can be laborious and prone to error. SP1 includes a set of scripts to make installation more straightforward.

PAM Just-In-Time Admin applies to the Privileged Domain

The PAM functionality focuses on securing access to sensitive permissions in an organizations main (“Corporate”) Active Directory forest. Two key components of this approach to securing permissions are:

  • Separation of accounts used for sensitive administration into a distinct Active Directory forest (the ‘Privileged’ forest)
  • ‘Just-In-Time’ administration: granting permissions only when they are required.

In the initial release of PAM, only permissions from the corporate forest can be made available for Just-In-Time use. With this Service Pack release, permissions in the Privileged forest itself (which are, lets face it, also sensitive) can be made available as JIT permissions.

Want to know more?