Microsoft Identity Manager 2016 Handbook

Book Image

Microsoft Identity Manager 2016 Handbook

By : David Steadman, Jeff Ingalls

Book Image

Microsoft Identity Manager 2016 Handbook

By: David Steadman, Jeff Ingalls

Overview of this book

Microsoft Identity Manager 2016 is Microsoft’s solution to identity management. When fully installed, the product utilizes SQL, SharePoint, IIS, web services, the .NET Framework, and SCSM to name a few, allowing it to be customized to meet nearly every business requirement. The book is divided into 15 chapters and begins with an overview of the product, what it does, and what it does not do. To better understand the concepts in MIM, we introduce a fictitious company and their problems and goals, then build an identity solutions to fit those goals. Over the course of this book, we cover topics such as MIM installation and configuration, user and group management options, self-service solutions, role-based access control, reducing security threats, and finally operational troubleshooting and best practices. By the end of this book, you will have gained the necessary skills to deploy, manage and operate Microsoft Identity Manager 2016 to meet your business requirements and solve real-world customer problems.

Microsoft Identity Manager 2016 Handbook

Microsoft Identity Manager 2016 Handbook

Credits

About the Authors

About the Authors

About the Reviewers

About the Reviewers

www.PacktPub.com

www.PacktPub.com

Preface

Free Chapter

Overview of Microsoft Identity Manager 2016

Overview of Microsoft Identity Manager 2016

The Financial Company

The environment

The history of Microsoft Identity 2016

MIM Synchronization Service

MIM Portal and Service

MIM Certificate Management

Role-Based Access Control (RBAC) with BHOLD

Privilege Access Management

Installation

Capacity planning

eparating roles

Installation order

Post-installation configuration

MIM Sync Configuration

MIM Sync Configuration

MIM Synchronization interface

Creating Management Agents

Creating a rules extension

The Metaverse rules extension

Schema management

Initial load versus scheduled runs

MIM Service Configuration

MIM Service Configuration

MIM Service request processing

The MIM Service Management Agent

Understanding the portal and UI

User Management

User Management

Additional sync engine information

Portal MPRs for user management

Configuring sets for user management

Inbound synchronization rules

Outbound synchronization rules

Managing users in a phone system

Managing users in Active Directory

Self-service using MIM Portal

Managing Exchange

More considerations

Group Management

Group Management

Group scope and types

Modifying MPRs for group management

Managing groups in AD

Installing client add-ins

Creating and managing distribution groups

Role-Based Access Control with BHOLD

Role-Based Access Control with BHOLD

Role-based access control

Access Management Connector

MIM/FIM Integration

Reducing Threats with PAM

Reducing Threats with PAM

Why deploy PAM?

How does it work?

System requirements

User experience

PAM in the MIM service

The sample PAM portal

Multi-factor authentication

Password Management

Password Management

SSPR background

Installing self-service password reset

Enabling password management in AD

Allowing MIM Service to set passwords

Configuring MIM Service

The SSPR user experience

Password synchronization

Password Change Notification Service

Overview of Certificate Management

Overview of Certificate Management

What is certificate management?

Certificate management components

Certificate management agents

The certificate management permission model

Installation and the Client Side of Certificate Management

Installation and the Client Side of Certificate Management

Installation and configuration

Certificate management clients

Certificate Management Scenarios

Certificate Management Scenarios

Modern app and TPM virtual smart card

Using support for Non-MIM CM

Multiforest configuration

ADFS configuration

Models at a glance

Reporting

Verifying the SCSM setup

Default reports

The SCSM ETL process

Looking at reports

Modifying reports

Hybrid reporting in Azure

Troubleshooting

Troubleshooting

Operation statistics

A simple data problem

Rule extension debugging and logging

Rule extension logging

MIM service request failures

Debugging a custom activity

Increasing application logging

Password change notification service

Operations and Best Practices

Operations and Best Practices

Expectations versus reality

Automating run profiles

Best practices concepts

Backup and restore

Backing up the synchronization encryption key

Restoring the MIM synchronization DB

Restoring the MIM service DB and portal

Additional backup considerations

Operational health

Database maintenance

SQL best practices

MIM synchronization best practices

MIM portal best practices

Other best practices

Index

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

System requirements

PAM requires a management forest of Windows 2012 R2 or above, called a bastion forest, which is trusted (one-way trust) by the existing corporate forest(s). The bastion forest must be highly secured and well managed, which is why a new forest is recommended.

Note

Microsoft's Best Practices for Securing Active Directory is a must read. Find it at http://bit.ly/SecuringAD.

If you already have a secured management forest, then it can be utilized for PAM, and a new management forest is not needed. More information on PAM with an existing Active Directory forest can be found at http://bit.ly/MIMPAMWithExistingDomains.

If you do not already have a management forest, you may be wondering why Microsoft requires another forest for PAM. There are two reasons: firstly, a new forest will be free from malicious activity, and secondly, a new forest will help restrict access in the existing corporate forest(s). Basically, we can get the best out of our existing forest(s) by assuming the...