Explore Microsoft Identity Manager

Completed

Microsoft Identity Manager (MIM) is an identity management solution that helps organizations manage and synchronize user identities across various systems and directories. It provides capabilities for user provisioning, deprovisioning, synchronization, and self-service password reset. MIM focuses on managing user identities and their attributes, ensuring consistency and accuracy across different systems and applications.

Microsoft Identity Manager helps organizations manage the users, credentials, policies, and access within their organizations and hybrid environments. With MIM, organizations can simplify identity lifecycle management with:

  • Automated workflows
  • Business rules
  • Integration with heterogenous platforms across the datacenter

Microsoft Identity Manager is primarily an on-premises solution. Organizations must install and deploy it within their own infrastructure. By doing so, they can manage user identities and synchronize them across various on-premises systems and directories.

MIM provides a range of features for identity management, including user provisioning, deprovisioning, synchronization, and self-service capabilities. It integrates with on-premises directories, such as Active Directory, and can also connect with other systems and applications to ensure consistent and accurate identity information.

Key features of Microsoft Identity Manager

Microsoft Identity Manager offers several key features that enhance identity management and synchronization within an organization's infrastructure. Some of MIM's key features include:

  • User provisioning and deprovisioning. MIM enables automated user provisioning and deprovisioning processes across various systems and directories. Doing so helps organizations ensure they consistently and efficiently create and remove user accounts when employees join or leave the company, respectively. MIM facilitates user provisioning and deprovisioning through various methods, including direct synchronization with connected systems, integration with HR systems or identity sources, and support for custom connectors. It provides workflows and rules that automate the creation, modification, and removal of user accounts, ensuring consistent and controlled provisioning processes.
  • Identity synchronization. MIM allows for the synchronization of user identities and attributes across multiple systems and directories, including on-premises Active Directory and other applications. Doing so helps organizations ensure that user information remains consistent and up to date across different platforms. MIM uses synchronization rules to define how user identities and attributes synchronize between different systems and directories. It supports synchronization with on-premises Active Directory, LDAP directories, SQL databases, and other connected systems. MIM allows administrators to customize synchronization rules based on specific attribute mappings and transformation logic.
  • Self-service password reset. MIM provides self-service capabilities that enable users to reset their passwords without the need for IT assistance. This feature helps reduce help desk requests related to password resets, improving productivity and user experience. MIM provides a web-based portal or integration with Windows sin-in screens where users can securely reset their passwords using predefined security questions, email verification, or other configured methods. MIM uses user attributes and security policies to ensure a secure and streamlined password reset experience.
  • Identity lifecycle management. MIM offers comprehensive identity lifecycle management capabilities. It enables organizations to define and enforce policies for user provisioning, deprovisioning, and modification throughout the user's lifecycle, ensuring consistent and secure access management. MIM enables organizations to define and enforce identity management policies, including workflows and approvals for user provisioning, modification, and deprovisioning. MIM supports the creation and management of user roles, assignment of entitlements, and enforcement of access policies throughout the user's lifecycle.
  • Role-based access control (RBAC). MIM supports RBAC, allowing organizations to define and manage roles that grant appropriate access rights to users based on their job responsibilities. RBAC helps enforce security policies and ensures users have the necessary access privileges required to perform their tasks. MIM enables administrators to define roles and associated entitlements based on job functions or responsibilities. MIM supports role assignment and role-based provisioning. These tools ensure that organizations grant users appropriate access privileges based on their assigned roles.
  • Workflow and approval processes. MIM includes a powerful workflow engine that allows organizations to define and automate approval processes for identity-related tasks. This feature helps enforce governance and compliance requirements and ensures proper oversight and accountability. Administrators can create custom workflows using a graphical interface, defining approval steps, conditions, and actions. MIM triggers workflows based on events such as user onboarding, access requests, or role changes, enabling consistent and auditable processes.
  • Certificate and smart card management. MIM provides capabilities for managing digital certificates and smart cards within an organization. This feature includes issuance, renewal, and revocation of certificates, as well as managing smart card deployments and usage. MIM supports certificate lifecycle management, including certificate issuance, renewal, and revocation. MIM integrates with public key infrastructures (PKIs) and certificate authorities to automate certificate management tasks. It also provides smart card enrollment and management capabilities, including card issuance, PIN resets, and revocation.
  • Reporting and auditing. MIM offers reporting and auditing features that allow organizations to track and monitor identity-related activities. This feature helps organizations maintain visibility into user access, changes, and compliance requirements. MIM provides predefined reports and customizable reporting options to gain insights into user provisioning, access changes, and compliance-related activities. MIM logs events and actions, allowing administrators to review and analyze audit trails for security and compliance purposes.

Several of these features might appear similar to features found in Microsoft 365, such as lifecycle management, self-service password reset, and RBAC. However, there are important distinctions to be aware of, including:

  • On-premises vs. Cloud. MIM is primarily an on-premises solution, whereas Microsoft 365 is a cloud-based suite of services. MIM is designed to manage identities and access within an organization's on-premises infrastructure, including on-premises directories and systems. Microsoft 365, on the other hand, provides cloud-based identity and access management through services like Microsoft Entra ID.
  • Integration with on-premises systems. MIM is designed to integrate with various on-premises systems, directories, and applications. It enables organizations to manage user identities and synchronization across these systems. Microsoft 365 focuses more on cloud-based integrations and managing identities within the Microsoft cloud ecosystem.
  • Flexibility and customization. MIM provides organizations with a high degree of flexibility and customization options. It offers extensive capabilities for customization, scripting, and workflow automation, allowing organizations to tailor the solution to their specific needs. Microsoft 365, while offering some level of customization, is more standardized and provides a predefined set of features and configurations.
  • Advanced identity management scenarios. Organizations often use MIM in complex identity management scenarios, particularly when they have a mix of on-premises and cloud-based systems. MIM offers robust features for managing hybrid identity environments. It also enables synchronization between on-premises directories and cloud-based directories like Microsoft Entra ID. Microsoft 365 and Microsoft Entra ID focus on cloud-based identity scenarios, but they also provide some hybrid capabilities.

Note

Microsoft 365 offers a comprehensive suite of cloud-based services, including Microsoft Entra ID, which provides identity and access management features similar to those features found in MIM. Depending on an organization's specific requirements, they can choose to use the capabilities of Microsoft 365 or opt for a hybrid approach by using a combination of MIM and Microsoft 365 services to meet their identity management needs.

MIM enables Active Directory to have the right users and access rights for on-premises apps. Microsoft Entra Connect and Microsoft Entra Connect Cloud Sync can then make those users and permissions available in Microsoft Entra ID for Microsoft 365 and cloud-hosted apps.

Note

MIM is primarily an on-premises solution. However, Microsoft also offers cloud-based identity and access management solutions, such as Microsoft Entra ID and Microsoft Entra Connect Sync. While these cloud-based services provide similar functionalities to MIM, Microsoft designed them for cloud environments. As such, they offer extra features and integration options with other Microsoft cloud services. Organizations can choose between on-premises solutions like MIM or cloud-based solutions like Microsoft Entra ID based on their specific requirements and infrastructure.

How is MIM commonly used?

Organizations commonly use Microsoft Identity Manager in the following scenarios:

  • Automatic identity and group provisioning based on business policy and workflow-driven provisioning.
  • Integration of the contents of directories with HR systems and other sources of authority.
  • Synchronizing identities between directories, databases, and on-premises applications through common APIs and protocols, Microsoft-delivered connectors, and partner-delivered connectors.

Diagram showing a scenario of user identities synchronized from multiple repositories.

Identity is the common factor among many services, like Microsoft 365 and Xbox Live, where the person is the center of the service. Identity is now the security boundary, the new firewall, the control plane—whichever comparison you prefer. Your digital identity is the combination of your credentials and permissions. In other words:

Credentials + privileges = digital identity

MIM enables organizations to protect their privileged on-premises accounts. These identities have more than the typical user rights. As such, a compromised account can allow a malicious hacker to access sensitive corporate assets. Helping secure these privileged identities is a critical step to establishing security assurances for business assets in a modern organization. Cybercriminals target these accounts and other privileged services in their kill chain to carry out their goals.

Implement Microsoft Identity Manager

The latest version of MIM is Microsoft Identity Manager 2016 2.0. Detailed instruction on implementing MIM is outside the scope of this training. However, for those persons interested in learning more about MIM, the following list provides a summarized overview of the MIM installation steps with links to supporting documentation.

  1. Prepare a domain. MIM works with on-premises Active Directory. Based on your organization's requirements, you should follow the steps outlined in either of the following links to configure your AD domain controller:
  2. Prepare identity management servers. Once your domain is in place and configured, prepare your corporate identity management server. For more information on supported platforms, see Supported platforms for MIM 2016 or later. Organizations should configure the following resources to prepare their identity management servers:
    • Windows Server
    • SQL Server
    • SharePoint Server
  3. Install Microsoft Identity Manager 2016 SP2 components. Once you set up the domain and server, you're ready to install the following MIM components and configure them to sync with Active Directory:

Knowledge check

Choose the best response for the following question.

Check your knowledge

1.

As Tailspin Toys' Microsoft 365 Administrator, Alan Deyoung wants to implement Microsoft Identity Manager to help protect Tailspin's privileged user accounts. Alan prepared the company's domain and is now preparing Tailspin's identity management servers. Which of the following resources must Alan configure to prepare Tailspin's identity management servers?