Microsoft Identity Manager 2016 Handbook

Book Image

Microsoft Identity Manager 2016 Handbook

By : David Steadman, Jeff Ingalls

Book Image

Microsoft Identity Manager 2016 Handbook

By: David Steadman, Jeff Ingalls

Overview of this book

Microsoft Identity Manager 2016 is Microsoft’s solution to identity management. When fully installed, the product utilizes SQL, SharePoint, IIS, web services, the .NET Framework, and SCSM to name a few, allowing it to be customized to meet nearly every business requirement. The book is divided into 15 chapters and begins with an overview of the product, what it does, and what it does not do. To better understand the concepts in MIM, we introduce a fictitious company and their problems and goals, then build an identity solutions to fit those goals. Over the course of this book, we cover topics such as MIM installation and configuration, user and group management options, self-service solutions, role-based access control, reducing security threats, and finally operational troubleshooting and best practices. By the end of this book, you will have gained the necessary skills to deploy, manage and operate Microsoft Identity Manager 2016 to meet your business requirements and solve real-world customer problems.

Microsoft Identity Manager 2016 Handbook

Microsoft Identity Manager 2016 Handbook

Credits

About the Authors

About the Authors

About the Reviewers

About the Reviewers

www.PacktPub.com

www.PacktPub.com

Preface

Free Chapter

Overview of Microsoft Identity Manager 2016

Overview of Microsoft Identity Manager 2016

The Financial Company

The environment

The history of Microsoft Identity 2016

MIM Synchronization Service

MIM Portal and Service

MIM Certificate Management

Role-Based Access Control (RBAC) with BHOLD

Privilege Access Management

Installation

Capacity planning

eparating roles

Installation order

Post-installation configuration

MIM Sync Configuration

MIM Sync Configuration

MIM Synchronization interface

Creating Management Agents

Creating a rules extension

The Metaverse rules extension

Schema management

Initial load versus scheduled runs

MIM Service Configuration

MIM Service Configuration

MIM Service request processing

The MIM Service Management Agent

Understanding the portal and UI

User Management

User Management

Additional sync engine information

Portal MPRs for user management

Configuring sets for user management

Inbound synchronization rules

Outbound synchronization rules

Managing users in a phone system

Managing users in Active Directory

Self-service using MIM Portal

Managing Exchange

More considerations

Group Management

Group Management

Group scope and types

Modifying MPRs for group management

Managing groups in AD

Installing client add-ins

Creating and managing distribution groups

Role-Based Access Control with BHOLD

Role-Based Access Control with BHOLD

Role-based access control

Access Management Connector

MIM/FIM Integration

Reducing Threats with PAM

Reducing Threats with PAM

Why deploy PAM?

How does it work?

System requirements

User experience

PAM in the MIM service

The sample PAM portal

Multi-factor authentication

Password Management

Password Management

SSPR background

Installing self-service password reset

Enabling password management in AD

Allowing MIM Service to set passwords

Configuring MIM Service

The SSPR user experience

Password synchronization

Password Change Notification Service

Overview of Certificate Management

Overview of Certificate Management

What is certificate management?

Certificate management components

Certificate management agents

The certificate management permission model

Installation and the Client Side of Certificate Management

Installation and the Client Side of Certificate Management

Installation and configuration

Certificate management clients

Certificate Management Scenarios

Certificate Management Scenarios

Modern app and TPM virtual smart card

Using support for Non-MIM CM

Multiforest configuration

ADFS configuration

Models at a glance

Reporting

Verifying the SCSM setup

Default reports

The SCSM ETL process

Looking at reports

Modifying reports

Hybrid reporting in Azure

Troubleshooting

Troubleshooting

Operation statistics

A simple data problem

Rule extension debugging and logging

Rule extension logging

MIM service request failures

Debugging a custom activity

Increasing application logging

Password change notification service

Operations and Best Practices

Operations and Best Practices

Expectations versus reality

Automating run profiles

Best practices concepts

Backup and restore

Backing up the synchronization encryption key

Restoring the MIM synchronization DB

Restoring the MIM service DB and portal

Additional backup considerations

Operational health

Database maintenance

SQL best practices

MIM synchronization best practices

MIM portal best practices

Other best practices

Index

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

How does it work?

We can summarize the end user interaction in four steps, as follows:

After PAM is deployed, a user in one of the corporate forests (for us TFC), will request the role activation (some sort of elevation) of a secondary account that resides in a managed domain. If the request is performed via the PowerShell cmdlet, then a call is made directly to the MIM service, whereas if a custom PAM client is used, then the call is made to the REST API first, which interacts with the MIM service.
If the role request requires approval, then we will wait for approval. In Windows 2012 R2 deployments, once approved or autoapproved, the MIM service account (in the management forest) adds the end user's secondary account (in the management forest) to a shadow group (in the management forest). The SID of the sourced TFC group will be in the shadow group's SID History. Note that we did not change the membership of any TFC groups; however, you will see the shadow group membership change.
The person...