Book Image

Microsoft Identity Manager 2016 Handbook

By : David Steadman, Jeff Ingalls
Book Image

Microsoft Identity Manager 2016 Handbook

By: David Steadman, Jeff Ingalls

Overview of this book

Microsoft Identity Manager 2016 is Microsoft’s solution to identity management. When fully installed, the product utilizes SQL, SharePoint, IIS, web services, the .NET Framework, and SCSM to name a few, allowing it to be customized to meet nearly every business requirement. The book is divided into 15 chapters and begins with an overview of the product, what it does, and what it does not do. To better understand the concepts in MIM, we introduce a fictitious company and their problems and goals, then build an identity solutions to fit those goals. Over the course of this book, we cover topics such as MIM installation and configuration, user and group management options, self-service solutions, role-based access control, reducing security threats, and finally operational troubleshooting and best practices. By the end of this book, you will have gained the necessary skills to deploy, manage and operate Microsoft Identity Manager 2016 to meet your business requirements and solve real-world customer problems.

Related Content you might be interested in

Current Title:

Small book image
Microsoft Identity Manager 2016 Handbook
David Steadman | Jeff Ingalls
Jul, 2016 | 692 pages
No titles found
Table of Contents (22 chapters)
Microsoft Identity Manager 2016 Handbook
Microsoft Identity Manager 2016 Handbook
Credits
Credits
About the Authors
About the Authors
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Overview of Microsoft Identity Manager 2016
Overview of Microsoft Identity Manager 2016
The Financial Company
The challenges
The environment
Moving forward
The history of Microsoft Identity 2016
MIM Synchronization Service
MIM Portal and Service
MIM Certificate Management
Role-Based Access Control (RBAC) with BHOLD
MIM Reporting
Privilege Access Management
Licensing
Summary
2
Installation
Installation
Capacity planning
eparating roles
Hardware
Installation order
Prerequisites
Installation
Post-installation configuration
Summary
3
MIM Sync Configuration
MIM Sync Configuration
MIM Synchronization interface
Creating Management Agents
Creating a rules extension
The Metaverse rules extension
Schema management
Initial load versus scheduled runs
Summary
4
MIM Service Configuration
MIM Service Configuration
MIM Service request processing
The MIM Service Management Agent
Understanding the portal and UI
Summary
5
User Management
User Management
Additional sync engine information
Portal MPRs for user management
Configuring sets for user management
Inbound synchronization rules
Outbound synchronization rules
Provisioning
Managing users in a phone system
Managing users in Active Directory
Temporal sets
Self-service using MIM Portal
Managing Exchange
More considerations
Summary
6
Group Management
Group Management
Group scope and types
Modifying MPRs for group management
Managing groups in AD
Installing client add-ins
Creating and managing distribution groups
Summary
7
Role-Based Access Control with BHOLD
Role-Based Access Control with BHOLD
Role-based access control
Installation
Access Management Connector
MIM/FIM Integration
Attestation
Reporting
Summary
8
Reducing Threats with PAM
Reducing Threats with PAM
Why deploy PAM?
PAM components
How does it work?
System requirements
Considerations
Our scenario
Installing PAM
User experience
PAM in the MIM service
The sample PAM portal
Multi-factor authentication
Summary
9
Password Management
Password Management
SSPR background
Installing self-service password reset
Enabling password management in AD
Allowing MIM Service to set passwords
Configuring MIM Service
The SSPR user experience
SSPR lockout
Password synchronization
Password Change Notification Service
Summary
10
Overview of Certificate Management
Overview of Certificate Management
What is certificate management?
Certificate management components
Certificate management agents
The certificate management permission model
Summary
11
Installation and the Client Side of Certificate Management
Installation and the Client Side of Certificate Management
Installation and configuration
Certificate management clients
Summary
12
Certificate Management Scenarios
Certificate Management Scenarios
Modern app and TPM virtual smart card
Using support for Non-MIM CM
Multiforest configuration
ADFS configuration
Models at a glance
Summary
13
Reporting
Reporting
Verifying the SCSM setup
Default reports
The SCSM ETL process
Looking at reports
Modifying reports
Hybrid reporting in Azure
Summary
14
Troubleshooting
Troubleshooting
The basics
Operation statistics
A simple data problem
Rule extension debugging and logging
Rule extension logging
MIM service request failures
Debugging a custom activity
Increasing application logging
Password change notification service
Summary
15
Operations and Best Practices
Operations and Best Practices
Expectations versus reality
Automating run profiles
Best practices concepts
Backup and restore
Backing up the synchronization encryption key
Restoring the MIM synchronization DB
Restoring the MIM service DB and portal
Additional backup considerations
Operational health
Database maintenance
SQL best practices
MIM synchronization best practices
MIM portal best practices
Other best practices
Summary
Index
Index

The challenges

During a recent inventory of the systems and functions that their IT department supported, a number of challenges were found. We will now have a look at some of the identity management (IdM)-related challenges that were uncovered.

Provisioning of users

The Financial Company discovered a new employee or contractor may wait up to a week before accounts are provisioned to the various required systems, and the correct access is granted to each person to do his/her job. The Financial Company would like account provisioning and proper access granted within a few hours.

The identity life cycle procedures

A number of identity life cycle management issues were found.

Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or after they changed their job. The termination and disabling of identities was also sometimes missed. A security review found active accounts of users who had left the company more than six months ago.

The security review found one HR consultant who had left The Financial Company months ago that still had VPN access and an active administrative HR account. The access should have been disabled when the project was completed and the consultant's contract had ended.

The Financial Company would like a way of defining identity management policies and a tool that detects anomalies and enforces their business policies. The Financial Company would like business policy enforcement to take no more than a few hours.

Highly privileged accounts (HPA)

The Financial Company has been successful in reducing the number of powerful administrative accounts over the last few years; however, a few still exist. There are also other highly privileged accounts and a few highly privileged digital identities, such as code signing certificates. The concern is that the security of these accounts is not as strong as it should be.

Public key infrastructure (PKI) within The Financial Company is a one-layer PKI, using an Enterprise Root CA without hardware security module (HSM). The CSO is concerned that it is not sufficient to start using smart cards because he feels the assurance level of the PKI is not high enough.

Password management

The helpdesk at The Financial Company spends a lot of time helping users who have forgotten their password. Password resets are done for internal users as well as partners with access to shared systems.

Traceability

The Financial Company found that they had no processes or tools in place to trace the status of identities and roles historically. They wanted to be able to answer questions such as:

  • Who was a member of the Domain Admins group in April?

  • When was John's account disabled, and who approved it?

Previous Section
End of Section 3
Next Section