Book Image

Microsoft Identity Manager 2016 Handbook

By : David Steadman, Jeff Ingalls
Book Image

Microsoft Identity Manager 2016 Handbook

By: David Steadman, Jeff Ingalls

Overview of this book

Microsoft Identity Manager 2016 is Microsoft’s solution to identity management. When fully installed, the product utilizes SQL, SharePoint, IIS, web services, the .NET Framework, and SCSM to name a few, allowing it to be customized to meet nearly every business requirement. The book is divided into 15 chapters and begins with an overview of the product, what it does, and what it does not do. To better understand the concepts in MIM, we introduce a fictitious company and their problems and goals, then build an identity solutions to fit those goals. Over the course of this book, we cover topics such as MIM installation and configuration, user and group management options, self-service solutions, role-based access control, reducing security threats, and finally operational troubleshooting and best practices. By the end of this book, you will have gained the necessary skills to deploy, manage and operate Microsoft Identity Manager 2016 to meet your business requirements and solve real-world customer problems.

Related Content you might be interested in

Current Title:

Small book image
Microsoft Identity Manager 2016 Handbook
David Steadman | Jeff Ingalls
Jul, 2016 | 692 pages
No titles found
Table of Contents (22 chapters)
Microsoft Identity Manager 2016 Handbook
Microsoft Identity Manager 2016 Handbook
Credits
Credits
About the Authors
About the Authors
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Overview of Microsoft Identity Manager 2016
Overview of Microsoft Identity Manager 2016
The Financial Company
The challenges
The environment
Moving forward
The history of Microsoft Identity 2016
MIM Synchronization Service
MIM Portal and Service
MIM Certificate Management
Role-Based Access Control (RBAC) with BHOLD
MIM Reporting
Privilege Access Management
Licensing
Summary
2
Installation
Installation
Capacity planning
eparating roles
Hardware
Installation order
Prerequisites
Installation
Post-installation configuration
Summary
3
MIM Sync Configuration
MIM Sync Configuration
MIM Synchronization interface
Creating Management Agents
Creating a rules extension
The Metaverse rules extension
Schema management
Initial load versus scheduled runs
Summary
4
MIM Service Configuration
MIM Service Configuration
MIM Service request processing
The MIM Service Management Agent
Understanding the portal and UI
Summary
5
User Management
User Management
Additional sync engine information
Portal MPRs for user management
Configuring sets for user management
Inbound synchronization rules
Outbound synchronization rules
Provisioning
Managing users in a phone system
Managing users in Active Directory
Temporal sets
Self-service using MIM Portal
Managing Exchange
More considerations
Summary
6
Group Management
Group Management
Group scope and types
Modifying MPRs for group management
Managing groups in AD
Installing client add-ins
Creating and managing distribution groups
Summary
7
Role-Based Access Control with BHOLD
Role-Based Access Control with BHOLD
Role-based access control
Installation
Access Management Connector
MIM/FIM Integration
Attestation
Reporting
Summary
8
Reducing Threats with PAM
Reducing Threats with PAM
Why deploy PAM?
PAM components
How does it work?
System requirements
Considerations
Our scenario
Installing PAM
User experience
PAM in the MIM service
The sample PAM portal
Multi-factor authentication
Summary
9
Password Management
Password Management
SSPR background
Installing self-service password reset
Enabling password management in AD
Allowing MIM Service to set passwords
Configuring MIM Service
The SSPR user experience
SSPR lockout
Password synchronization
Password Change Notification Service
Summary
10
Overview of Certificate Management
Overview of Certificate Management
What is certificate management?
Certificate management components
Certificate management agents
The certificate management permission model
Summary
11
Installation and the Client Side of Certificate Management
Installation and the Client Side of Certificate Management
Installation and configuration
Certificate management clients
Summary
12
Certificate Management Scenarios
Certificate Management Scenarios
Modern app and TPM virtual smart card
Using support for Non-MIM CM
Multiforest configuration
ADFS configuration
Models at a glance
Summary
13
Reporting
Reporting
Verifying the SCSM setup
Default reports
The SCSM ETL process
Looking at reports
Modifying reports
Hybrid reporting in Azure
Summary
14
Troubleshooting
Troubleshooting
The basics
Operation statistics
A simple data problem
Rule extension debugging and logging
Rule extension logging
MIM service request failures
Debugging a custom activity
Increasing application logging
Password change notification service
Summary
15
Operations and Best Practices
Operations and Best Practices
Expectations versus reality
Automating run profiles
Best practices concepts
Backup and restore
Backing up the synchronization encryption key
Restoring the MIM synchronization DB
Restoring the MIM service DB and portal
Additional backup considerations
Operational health
Database maintenance
SQL best practices
MIM synchronization best practices
MIM portal best practices
Other best practices
Summary
Index
Index

Enabling password management in AD

The goal for SSPR is, usually, to reset the password of users' accounts in Active Directory, but the SSPR feature in MIM is not limited to Active Directory, and can be used to reset passwords in other connect data sources (CDS) as well.

In order for MIM to change the password of a user in AD (or any other CDS), the account used by MIM (svc-adma in our example) needs to have the reset password permission in AD, or a similar permission in another CDS:

  1. In the Management Agent for the target CDS, in this case the AD, we need to check the Enable password management checkbox:

  2. If we then look at the settings, we can make some adjustments, as shown in the following screenshot:

    Note

    The Unlock locked accounts when resetting passwords option is not enabled by default. It is up to your security team to determine if this setting is right for you. The authors have seen organizations that have this setting enabled as well as disabled.

The Management Agent for AD is now ready...

Previous Section
End of Section 4
Next Section