Transitioning Away from MIM in a Cloud-First World: The Future of MIM Part 1
Now that MIM is in extended support, many MIM customers are interested in transitioning to the cloud and a Zero Trust model. But where to start? This blog series will examine the options and key considerations to help decision makers to determine their path to the cloud.
In this first installment of the series, we answer some of the common questions our customers ask about what comes after MIM and migrating to the cloud. Part 2 looks at how modern identity and zero trust can and should be considered by organizations as they plan their future identity management strategy. In Part 3 we examine key considerations for building strong compliance and governance programs.
Part 1: Transitioning Away from MIM in a Cloud-First World
The MIM Legacy
In the Microsoft world, Microsoft Identity Manager (MIM) and its predecessors have been the mainstay of identity management for almost two decades. It has proven to be affordable, flexible, and robust, and has been deployed successfully in all sorts of environments. Much of its functionality can and is being smoothly migrated to the cloud (to Azure AD), but there are some functions which Azure AD does not cover, and which MIM covers very well. Additionally, some customers are simply not ready to migrate, or cannot (from a technological or funding point of view) migrate to Azure AD with its features. Even those that are ready need a practical way to migrate pieces that can be managed in the cloud while still maintaining on-premises data integrity. MIM is well positioned to be the transition tool to get you from on-premises to the cloud in the new “cloud first” world.
MIM is now in extended support and will be until early 2029. If you have an Azure AD Premium subscription you still get full standard support for all components of MIM except for BHOLD and MIM CM. Microsoft explains here that they are still fully supporting components of MIM that “populate Active Directory, and by extension, Azure AD through Azure AD Connect, with the users and groups provisioned from an on-premises HR system or other system of record sources.” In 2021 alone, four hotfixes were released for security and compatibility enhancements.
Even after this support ends, various paid-for support options will be available from Microsoft or, more likely, from partners like Oxford Computer Group (OCG). In any case your MIM solution will not suddenly stop working. Meanwhile, Microsoft continues to release features in its cloud offerings that can replace much – but not yet all – MIM functionality.
What comes after MIM?
Microsoft is aware of the varied identity and access management requirements that exist and are developing Azure AD capabilities to cover them. So, the answer to “What comes after MIM?” will need to be re-evaluated on a regular basis.
Currently, organizations that use MIM have four years to consider the following options:
- Replace MIM entirely with Microsoft cloud functionality (Azure AD).
- Replace most of the MIM functionality with Microsoft cloud functionality, and select and implement a tool (presumably from a Microsoft-friendly vendor) to replace the remaining functionality.
- Stay with MIM because the level of support needed can be provided by, for example, OCG.
- Migrate to a different vendor altogether.
Should we move to another platform?
There is no need to rush into an implementation – we can’t be sure right now what things will look like when extended support ends in 2029. Many organizations are doing new implementations of MIM (particularly MIM sync) because it represents a relatively inexpensive and effective solution even if (as a worst case) it only lasts for four years. These organizations are not short-sighted, they are pragmatic.
On the other hand, we are seeing Azure AD continue to broaden its capabilities and our customers are using these capabilities to improve their competitiveness and agility. If your organization is focusing on Zero Trust as an initiative, Azure AD and its associated tools are designed around that model. MIM is not.
If an organization is inclined to move to another vendor anyway, then perhaps there is no reason to hold back. Switching to another vendor just to replace certain MIM functionality is a risk and shouldn’t be rushed into. Identity and Access Management (IAM) is changing, and any vendor offering may become obsolete. OCG has seen some very expensive, time-consuming migrations to other vendor platforms, which in some cases do not even work properly. OCG has achieved considerable annual savings for some customers migrating to MIM from other vendor platforms, while at the same time, preparing them for an increasingly cloud-focused future.
It is worth noting that anyone with Azure AD Premium can use MIM free of charge, so migrating away from it could be an expensive way of only getting to where you are now. If your processes are well sorted out and embedded in MIM, the right kind of controlled migration may be quite easy, while replacing the entire platform may be like going back to square one.
Having taken soundings from Microsoft, other partners, and our customers, we are confident that Microsoft will replace key MIM functionality with technologies that offer a tight fit to Azure AD. We are already seeing Microsoft’s investments in new features that meet changing IAM market requirements.
What about a script-based approach?
We also see script-based solutions being sold as IAM. This kind of approach is exactly what MIM and its predecessors were designed to overcome!
While these can be quick and cheap to install, they lack the robustness and integrity that any enterprise-level IAM solution demands. Taking a scripting approach tends to leave an organization reliant on a single individual that knows where all the sources, scripts and targets are – rather than having that centrally functioning IAM solution that ties them all together and is supportable by many rather than the one. This kind of approach can also end up polluting Active Directory with poor quality data, which compromises later phases of IAM (such as role management and privileged access management).
Why implement MIM now?
With regards to the Microsoft platform, MIM is still viable when it comes to integrating Active Directory with sources of truth such as multiple, on-premises HR platforms. The comprehensive “out-of-the-box” connectors, orchestration, plus the extensible connectors, allow for connecting to virtually any system. If you have an Azure AD Premium subscription, license fees currently are the cost of the host OS and databases. The cost of implementation is comparable to other enterprise-ready IAM systems.
If you have on-premises sources of truth, MIM might offer most of what you need for the next four years. There are paths available, and more opening up, to support the move to hybrid cloud, and perhaps one day to cloud-only – or simply away from MIM if that turns out to be the right choice.
Ask us about your situation!
Of course, every customer has a unique situation, and the best course of action is not the same for everyone. While OCG is a very strong Microsoft partner, our expertise and experience are wide – we do not rely on software sales for our income, and we aim for an impartial view on the best way forward. We are all about enabling the cloud, but we recognize that this is not the whole story. So if you are looking for a trusted partner to guide you through what might be a complex series of decisions based on your particular requirements, give us a call!
Don’t panic! But don’t put off planning. In the process of planning, you’ll begin to see just how much identity and access management, identity governance, external identities, and distributed identities have evolved. As you plan you’ll discover whether or not MIM is still up to the task for your needs, or whether its time to make a change.
Identity management as a larger issue involves more than just a user’s account and logon. Identity today means device, location, logon, and many other things. What is “identity” in today’s cloud-first, BYOD driven world? Future blog installments will delve into exactly that and what managing the lifecycle of that identity might look like and how do you wrap governance and reporting for compliance frameworks your company is tied to.
Interested in learning more about transitioning your organization to modern identity? Read Part 2 of our blog.
Look for Part 3 in our Future of MIM blog series, “Securing Modern Identities with Strong Governance,” coming soon.
Can MIM SSPR be migrated to Azure AD?
Yes and no. Azure AD Premium includes self-service password reset (SSPR) in the cloud, though it does not take exactly the same form. Azure AD Premium includes SSPR in the cloud, which is a feature you should be moving to. If Azure AD Connect’s password writeback feature is in use, a user can reset their on-premises AD password (as well as their Azure AD cloud password via password hash synchronization). Although not an exact feature for feature replacement, Azure AD Premium SSPR can easily be argued to be more convenient, and more secure, than that available through the MIM Portal.
Can MIM group management be migrated to Azure AD?
Mostly. Azure AD Premium provides broadly the same functionality for cloud groups, as the MIM Portal does for on-premises groups. Since Azure AD has dynamic group capabilities, it would not be a stretch to use MIM to populate certain attributes to facilitate the population of those cloud-based groups using attributes available on-premises.
Currently, while on-premises groups can be synchronized up to the cloud, write-back from cloud groups to on-premises groups are limited to distribution lists. You can’t write back to on-premises security groups, at least in supported configurations. It would not be surprising if this changed soon, but if management of on-premises security groups is a must right now, then an additional tool will be required if the MIM Portal is to be replaced. For example, Saviynt or SoftwareIDM’s HyperSync can be used for this purpose.
Can MIM provisioning be migrated to Azure AD?
Some now, more later, maybe everything eventually. MIM is highly flexible when it comes to provisioning, but it generally requires code to be written. MIM can also be extended to connect to just about any system by writing more code in the form of an “ECMA2” (effectively a custom connector).
Azure AD provides excellent functionality for codeless provisioning of accounts into many cloud-based systems. It can also provision to on-premises applications using SCIM, or to legacy applications using the very same ECMA2 “connectors” that MIM uses. This latter capability is an invitation-only preview at the time of writing, but it is clear enough where this is going. So, although there are a few caveats, and this is not a feature for feature replacement, it does look as though Azure AD will have this area well covered.
Can Azure AD handle multiple sources of truth (like HR systems) like MIM?
Not yet. The MIM synchronization engine is particularly good at connecting to and importing identity data from multiple sources of truth (HR, temporary staff, student enrolment etc.), and then generating an authoritative, canonical representation of each identity. Azure AD (along with Azure AD Connect) has limited capability in this regard. So, in all but the simplest situations, this remains one area where a MIM, or a 3rd party tool such as Saviynt or SoftwareIDM Hyper Sync, is still required. However, a lot can – and probably will – happen in the next 4 years.
Is there a migration path for PCNS?
Not at present as far as we know. The Password Change Notification Service (PCNS) captures AD password changes and forwards them to MIM, which can send them to target systems. If you use PCNS we recommend that you stick with MIM for the time being. We know of at least one vendor who plans to provide an alternative – so watch this space.
Can MIM Portal workflows be replaced by Azure AD functionality?
Not directly. In our experience, many organizations are using some simple workflows (for example for group management approvals), which can be readily replaced by comparable functionality in Azure AD. However, a small but important percentage of organizations have invested significantly in MIM workflows and/or other MIM portal functionality – for such cases there is no obvious Microsoft migration path. There are alternatives, such as Saviynt and SoftwareIDM, which we will explore in later blogs.
How can we replace BHOLD functionality?
BHOLD was a role management addition to the MIM synchronization engine which is now effectively deprecated. The role management within Azure AD is much more sophisticated in its approach and may well be all that is needed for an organization intending to be cloud oriented. However, Azure AD does not offer generic on-premises role management, so any organization looking for an equivalent to MIM plus BHOLD functionality will likely have to look for a 3rd party tool such as Saviynt or SoftwareIDM’s Access Panel.
Microsoft-friendly tools to augment and/or replace MIM
There are many tools available that can add functionality to MIM, support migration away from MIM, or even replace MIM altogether. Some options for 3rd party tools that fully support MIM while providing a clear migration path include Saviynt, SoftwareIDM’s Identity Panel, and others.
This table shows which features are native to which systems:
|MIM feature||Azure AD|
|MIM Sync Features||Generic synchronization engine|
|Legacy provisioning||Yes -Workday, Success Factors, SQL, LDAP, future ECMA|
|Cloud HR import||Yes|
|Legacy HR import|
|Multiple sources of truth|
|MIM Portal Features||Group self-service||Azure AD groups|
|Query-based groups||Azure AD groups|
|SSPR for AD||Yes|
Continue reading with Part 2, “From MIM to Modern Identity.” Or, skip to Part 3, “Security Modern Identities with Strong Governance.”
Want to learn more about moving from MIM to the cloud? Check out the recording of our Q&A webinar here.
Please contact us if you have any questions or would like to know more.