Microsoft Identity Manager 2016 Handbook

Book Image

Microsoft Identity Manager 2016 Handbook

By : David Steadman, Jeff Ingalls

Book Image

Microsoft Identity Manager 2016 Handbook

By: David Steadman, Jeff Ingalls

Overview of this book

Microsoft Identity Manager 2016 is Microsoft’s solution to identity management. When fully installed, the product utilizes SQL, SharePoint, IIS, web services, the .NET Framework, and SCSM to name a few, allowing it to be customized to meet nearly every business requirement. The book is divided into 15 chapters and begins with an overview of the product, what it does, and what it does not do. To better understand the concepts in MIM, we introduce a fictitious company and their problems and goals, then build an identity solutions to fit those goals. Over the course of this book, we cover topics such as MIM installation and configuration, user and group management options, self-service solutions, role-based access control, reducing security threats, and finally operational troubleshooting and best practices. By the end of this book, you will have gained the necessary skills to deploy, manage and operate Microsoft Identity Manager 2016 to meet your business requirements and solve real-world customer problems.

Microsoft Identity Manager 2016 Handbook

Microsoft Identity Manager 2016 Handbook

Credits

About the Authors

About the Authors

About the Reviewers

About the Reviewers

www.PacktPub.com

www.PacktPub.com

Preface

Free Chapter

Overview of Microsoft Identity Manager 2016

Overview of Microsoft Identity Manager 2016

The Financial Company

The environment

The history of Microsoft Identity 2016

MIM Synchronization Service

MIM Portal and Service

MIM Certificate Management

Role-Based Access Control (RBAC) with BHOLD

Privilege Access Management

Installation

Capacity planning

eparating roles

Installation order

Post-installation configuration

MIM Sync Configuration

MIM Sync Configuration

MIM Synchronization interface

Creating Management Agents

Creating a rules extension

The Metaverse rules extension

Schema management

Initial load versus scheduled runs

MIM Service Configuration

MIM Service Configuration

MIM Service request processing

The MIM Service Management Agent

Understanding the portal and UI

User Management

User Management

Additional sync engine information

Portal MPRs for user management

Configuring sets for user management

Inbound synchronization rules

Outbound synchronization rules

Managing users in a phone system

Managing users in Active Directory

Self-service using MIM Portal

Managing Exchange

More considerations

Group Management

Group Management

Group scope and types

Modifying MPRs for group management

Managing groups in AD

Installing client add-ins

Creating and managing distribution groups

Role-Based Access Control with BHOLD

Role-Based Access Control with BHOLD

Role-based access control

Access Management Connector

MIM/FIM Integration

Reducing Threats with PAM

Reducing Threats with PAM

Why deploy PAM?

How does it work?

System requirements

User experience

PAM in the MIM service

The sample PAM portal

Multi-factor authentication

Password Management

Password Management

SSPR background

Installing self-service password reset

Enabling password management in AD

Allowing MIM Service to set passwords

Configuring MIM Service

The SSPR user experience

Password synchronization

Password Change Notification Service

Overview of Certificate Management

Overview of Certificate Management

What is certificate management?

Certificate management components

Certificate management agents

The certificate management permission model

Installation and the Client Side of Certificate Management

Installation and the Client Side of Certificate Management

Installation and configuration

Certificate management clients

Certificate Management Scenarios

Certificate Management Scenarios

Modern app and TPM virtual smart card

Using support for Non-MIM CM

Multiforest configuration

ADFS configuration

Models at a glance

Reporting

Verifying the SCSM setup

Default reports

The SCSM ETL process

Looking at reports

Modifying reports

Hybrid reporting in Azure

Troubleshooting

Troubleshooting

Operation statistics

A simple data problem

Rule extension debugging and logging

Rule extension logging

MIM service request failures

Debugging a custom activity

Increasing application logging

Password change notification service

Operations and Best Practices

Operations and Best Practices

Expectations versus reality

Automating run profiles

Best practices concepts

Backup and restore

Backing up the synchronization encryption key

Restoring the MIM synchronization DB

Restoring the MIM service DB and portal

Additional backup considerations

Operational health

Database maintenance

SQL best practices

MIM synchronization best practices

MIM portal best practices

Other best practices

Index

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Our scenario

TFC management is concerned with the TFC\JIngalls account, owned by Jeff Ingalls, and is subject to malicious internal and external attacks due to its permanent membership in the TFCAdmins group. The TFCAdmins group grants access to several highly confidential shares and servers. TFC management likes to utilize PAM to eliminate the permanent membership of the TFCAdmins group, mitigating risk while still allowing Jeff to do his job.

To validate our PAM deployment works, Jeff will gain access to an NTFS-secured file through a PAM request. In the past, he could open up the file directly, but under PAM, he will need to perform an extra request step before he can access the file. To set up the scenario, a folder named TOPSECRET on the TFCWIN10 workstation will have NTFS permissions applied to only allow access to members of the TFCAdmins group. Once PAM is deployed, the TFC\JIngalls account will not be in the TFCAdmins group. Yet, through PAM, Jeff will be able to access a file named...