Microsoft Identity Manager
In this section we will look at Microsoft Identity Manager.
What is it?
Microsoft Identity Manager (MIM) is the latest iteration of a product from Microsoft that used to be called Forefront Identity Manager and before that Identity Lifecycle Manager.
The core use case for MIM is to synchronise users and identity across systems so that a user can access the systems they require.
One very important to note concept is that many modern applications will tend to support SSO, ADFS or Azure AD integration. In these cases you shouldnt need to use MIM to synchronise the users in these apps because they should inherit claims and user setup from the SSO login process.
The main customer scenarios for MIM tend to be as follows:
- A customer has many on premise applications which have their own user management modules which need to be synchronised, often in a 2 way manner
- A customer has a user onboarding process which runs periodically and starts in an application where MIM is used to synchronise the application with Active Directory
- Import user data and passwords from systems
- Merge and match the users from different systems
- Produce output to send back to systems to update their users
- Ability to define rules for which fields from which systems take precedence
- Workflows for complex user processes
- User self service reset portal
- The merge and match capabilities are easy to setup and its quite easy to get up and running with a simple scenario
- MIM implemented well is a reliable technology with low maintenance costs for many customers
- Most complex implementations of MIM have integration requirements beyond the out of the box connectors. Its common to see complex ETL processes in tools like SSIS which need to be considered and managed
- Some companies use the anti-pattern of using MIM to process data which is not related to an identity.
- Careful architecture consideration needs to be made to manage which patterns should be used so that the identity platform can make effective use of the integration platform
- The license costs are difficult to clearly understand
MIM has the following dependanceies:
- Windows Server
- SQL Server for its database
- IIS for the MIM portal
MIM is hosted on Windows Server
Based on our interpretation the CAL license is needed to the Password Reset Portal and for complex workflow which may not be required by your implementation. If this is the case then you only need the server licenses for Windows and SQL.
If you need the CAL licenses then the cost could increase significantly. Best to check your requirements in more detail with the licensing guide.
There arent really any directly related technologies in the Microsoft stack, however a MIM solution may often use things like BizTalk or SSIS to help provide integration to other applications.
Microsoft isnt really doing much with MIM, its still on version 2016 but has a Service Pack 2 release and is under extended support until 2026 (although mainstream for the current version ends in 2021).
We think the roadmap for identity lifecycle is that MIM is mainly around for the Azure AD to Active Directory use case and for Legacy scenarios. Most applications today are using Azure AD based approaches and we would not be doing new stuff with MIM. We think a planned reduction in your MIM investment so you eventually just have Azure AD to AD with Azure AD Connect is the place SaaS and cloud investments will take you to anyway with MIM