Work with hybrid reporting in Identity Manager

This article discusses how to combine on-premises and cloud data into hybrid reports in Azure, and how to manage and view these reports.

Available hybrid reports

The first three Microsoft Identity Manager reports available in Microsoft Entra ID are as follows:

• Password reset activity: Displays each instance when a user performed password reset using self-service password reset (SSPR) and provides the gates or methods used for authentication.

• Password reset registration: Displays each time that a user registers for SSPR and the methods used to authenticate. Examples of methods might be a mobile phone number or questions and answers.

  Note

  For Password reset registration reports, no differentiation is made between the SMS gate and MFA gate. Both are considered mobile phone methods.

• Self-service groups activity: Displays each attempt made by someone to add or delete him or herself from a group and group creation.

  

Note

• The reports currently present data for up to one month of activity.
• The previous Hybrid Reporting Agent must be uninstalled.
• To uninstall hybrid reports, uninstall the MIMreportingAgent.msi agent.

Prerequisites

• Identity Manager 2016 SP1 Identity Manager service, Recommended build 4.4.1749.0 .

• A Microsoft Entra ID P1 or P2 tenant with a licensed administrator in your directory.

• Outgoing internet connectivity from the Identity Manager server to Azure.

Requirements

The requirements for using Identity Manager hybrid reporting are listed in the following table:

Requirement	Description
Microsoft Entra ID P1 or P2	Hybrid reporting is a Microsoft Entra ID P1 or P2 feature and requires Microsoft Entra ID P1 or P2. For more information, see Getting started with Microsoft Entra ID P1 or P2. Get a free 30-day trial of Microsoft Entra ID P1 or P2.
You must be a global administrator of your Microsoft Entra ID	By default, only global administrators can install and configure the agents to get started, access the portal, and perform any operations within Azure. Important: The account that you use when you install the agents must be a work or school account. It cannot be a Microsoft account. For more information, see Sign up for Azure as an organization.
Identity Manager Hybrid Agent is installed on each targeted Identity Manager Service server	To receive the data and provide monitoring and analytics capabilities, hybrid reporting requires the agents to be installed and configured on targeted servers.
Outbound connectivity to the Azure service endpoints	During installation and runtime, the agent requires connectivity to Azure service endpoints. If outbound connectivity is blocked by firewalls, ensure that the following endpoints are added to the allowed list: *.blob.core.windows.net *.servicebus.windows.net - Port: 5671 *.adhybridhealth.azure.com/ https://management.azure.com https://policykeyservice.dc.ad.msft.net/ https://login.windows.net https://login.microsoftonline.com https://secure.aadcdn.microsoftonline-p.com
Outbound connectivity based on IP addresses	For IP addresses based filtering on firewalls, refer to the Azure IP Ranges.
SSL inspection for outbound traffic is filtered or disabled	The agent registration step or data upload operations might fail if there is SSL inspection or termination for outbound traffic at the network layer.
Firewall ports on the server that runs the agent	To communicate with the Azure service endpoints, the agent requires the following firewall ports to be open: TCP port 443 TCP port 5671
Allow certain websites if Internet Explorer enhanced security is enabled	If Internet Explorer enhanced security is enabled, the following websites must be allowed on the server that has the agent installed: https://login.microsoftonline.com https://secure.aadcdn.microsoftonline-p.com https://login.windows.net The federation server for your organization trusted by Microsoft Entra ID (for example, https://sts.contoso.com).

Install Identity Manager Reporting Agent in Microsoft Entra ID

After Reporting Agent is installed, the data from Identity Manager activity is exported from Identity Manager to Windows Event Log. Identity Manager Reporting Agent processes the events and then uploads them to Azure. In Azure, the events are parsed, decrypted, and filtered for the required reports.

1. Install Identity Manager 2016.

2. Download Identity Manager Reporting Agent, and then do the following:

   a. Sign in to the Microsoft Entra management portal, and then select Active Directory.

   b. Double-click the directory for which you are a global administrator and have a Microsoft Entra ID P1 or P2 subscription.

   c. Select Configuration, and then download Reporting Agent.

3. Install Reporting Agent by doing the following:

   a. Download the MIMHReportingAgentSetup.exe file for the Identity Manager Service server.

   b. Run MIMHReportingAgentSetup.exe.

   c. Run the agent installer.

   d. Make sure that the Identity Manager Reporting Agent service is running.

   e. Restart the Identity Manager service.

4. Verify that Identity Manager Reporting Agent is working in Azure.

   You can create report data by using the Identity Manager self-service password reset portal to reset a user’s password. Make sure that the password reset was completed successfully, and then check to ensure that the data is displayed in the Microsoft Entra management portal.

View hybrid reports in the Azure portal

1. Sign in to the Azure portal with your global administrator account for the tenant.

2. Select Microsoft Entra ID.

3. In the list of available directories for your subscription, select the tenant directory.

4. Select Audit Logs.

5. In the Category drop-down list, make sure that MIM Service is selected.

Important

It can take some time for Identity Manager audit data to appear in the Azure portal.

Stop creating hybrid reports

If you want to stop uploading reporting audit data from Identity Manager to Microsoft Entra ID, uninstall Hybrid Reporting Agent. Use the Windows Add or Remove Programs tool to uninstall Identity Manager hybrid reporting.

Windows events used for hybrid reporting

Events that are generated by Identity Manager are stored in Windows Event Log. You can view the events in the Event Viewer by selecting Application and Services logs > Identity Manager Request Log. Each Identity Manager request is exported as an event in Windows Event Log in the JSON structure. You can export the result to your security information and event management (SIEM) system.

Event type	ID	Event details
Information	4121	The Identity Manager event data that includes all the request data.
Information	4137	The Identity Manager event 4121 extension, if there is too much data for a single event. The header in this event is displayed in the following format: "Request: <GUID> , message <xxx> out of <xxx>.