Identity and Access Management (IAM) is a solution that simplifies identity management for enterprises by automating their administration processes such as account provision, password management, and access right management.
Microsoft Identity Manager (MIM) 2016, as one of the IAM solutions, is used to help manage the users, credentials, policies, and access within an organization. Moreover, MIM 2016 even adds in a hybrid experience, privileged access management capabilities, and support for new platforms.
Figure 1 Without IAM solution
Without an IAM solution, IT/service desk is required to communicate with each application owners and infrastructure administrators for identity creation, identity profile update, password reset in different types of directory servers and database servers in different environments (On-premises and Cloud). To the worst, there is no standardized procedure and tools to keep track on the status of identities for their historical records. Therefore, how to manage identity and how to achieve it in a stream become a big challenge many enterprises are facing.
Figure 2 MIM 2016 Solution
Microsoft Identity Manager (MIM) 2016 is the solution that solves the above problems, having simplified the identity management for many of our clients. MIM provides not only a single point of view to many types of users in managing their identities from various sources, but also multiple out-of-the-box connectors to establish the connection between MIM and the identity sources. Therefore, users can focus on establishing the business procedures to manage their own identities.
- Case Study
In one of our MIM cases, there is a kind of requirements as following:
- General users manage their profiles for email and user account by self-service
- General users reset their account password by self-service
- Need a solution to perform account provision and attribute synchronization from application data to Active Directory automatically
Based on the above requirements, we suggested MIM to satisfy their needs for the following benefits.
- Manage identities all in one single platform and portal
Figure 3 MIM Portal
In MIM family, MIM Portal is an ASP.NET application providing feasibility for the administrators to manage groups and roles in a single portal via the web browser, where users can manage their profiles, set up workflow procedures for business process like submitting a request application, approving the requests, cancelling pending requests, etc.
- Self-Service Password Reset
Figure 4 MIM Password Reset Registration Portal
For password reset, a user will launch a web browser and navigate to the MIM Password Reset Registration Portal. Within the portal, they will provide their username and password again to confirm their identity.
Here are a few ways MIM supports to reset the password:
Password Reset Registration Portal sends a one-time password (OTP) to the applicant through email. The applicant then enters the OTP in the portal and reset the account password.
Password Reset Registration Portal sends a one-time password (OTP) to the applicant through SMS. The applicant then enters the OTP in the Portal and reset the account password.
- Challenge questions
The applicant provides the correct answers for a list of pre-defined questions; then, the applicant is able to reset the account password.
- Support many popular directory services natively
For account provision and attribute synchronization, MIM Synchronization Service provides multiple built-in connectors to import/export identity objects from different data sources.
Figure 5 Connector List in MA
Before the provision and synchronization, administrators are required to set up a management agent (MA) in “MIM synchronization service and rules” in MIM portal. MA defines which connectors should be used and the how to handle each identity object. Synchronization rule then defines the attribute mapping and the attribute flow handling. After the configuration, MIM can perform account provision and attribute synchronization
Figure 6 Synchronization Rule
To summarize, MIM brings us many benefits including:
- Simplify the identity management
- Provide connectors to work with different traditional directory services
- Provide self-service to different types of users to manage identities from different sources
- Track on the historical events related to your objects