Microsoft Identity Manager 2016 Handbook

Book Image

Microsoft Identity Manager 2016 Handbook

By : David Steadman, Jeff Ingalls

Book Image

Microsoft Identity Manager 2016 Handbook

By: David Steadman, Jeff Ingalls

Overview of this book

Microsoft Identity Manager 2016 is Microsoft’s solution to identity management. When fully installed, the product utilizes SQL, SharePoint, IIS, web services, the .NET Framework, and SCSM to name a few, allowing it to be customized to meet nearly every business requirement. The book is divided into 15 chapters and begins with an overview of the product, what it does, and what it does not do. To better understand the concepts in MIM, we introduce a fictitious company and their problems and goals, then build an identity solutions to fit those goals. Over the course of this book, we cover topics such as MIM installation and configuration, user and group management options, self-service solutions, role-based access control, reducing security threats, and finally operational troubleshooting and best practices. By the end of this book, you will have gained the necessary skills to deploy, manage and operate Microsoft Identity Manager 2016 to meet your business requirements and solve real-world customer problems.

Microsoft Identity Manager 2016 Handbook

Microsoft Identity Manager 2016 Handbook

Credits

About the Authors

About the Authors

About the Reviewers

About the Reviewers

www.PacktPub.com

www.PacktPub.com

Preface

Free Chapter

Overview of Microsoft Identity Manager 2016

Overview of Microsoft Identity Manager 2016

The Financial Company

The environment

The history of Microsoft Identity 2016

MIM Synchronization Service

MIM Portal and Service

MIM Certificate Management

Role-Based Access Control (RBAC) with BHOLD

Privilege Access Management

Installation

Capacity planning

eparating roles

Installation order

Post-installation configuration

MIM Sync Configuration

MIM Sync Configuration

MIM Synchronization interface

Creating Management Agents

Creating a rules extension

The Metaverse rules extension

Schema management

Initial load versus scheduled runs

MIM Service Configuration

MIM Service Configuration

MIM Service request processing

The MIM Service Management Agent

Understanding the portal and UI

User Management

User Management

Additional sync engine information

Portal MPRs for user management

Configuring sets for user management

Inbound synchronization rules

Outbound synchronization rules

Managing users in a phone system

Managing users in Active Directory

Self-service using MIM Portal

Managing Exchange

More considerations

Group Management

Group Management

Group scope and types

Modifying MPRs for group management

Managing groups in AD

Installing client add-ins

Creating and managing distribution groups

Role-Based Access Control with BHOLD

Role-Based Access Control with BHOLD

Role-based access control

Access Management Connector

MIM/FIM Integration

Reducing Threats with PAM

Reducing Threats with PAM

Why deploy PAM?

How does it work?

System requirements

User experience

PAM in the MIM service

The sample PAM portal

Multi-factor authentication

Password Management

Password Management

SSPR background

Installing self-service password reset

Enabling password management in AD

Allowing MIM Service to set passwords

Configuring MIM Service

The SSPR user experience

Password synchronization

Password Change Notification Service

Overview of Certificate Management

Overview of Certificate Management

What is certificate management?

Certificate management components

Certificate management agents

The certificate management permission model

Installation and the Client Side of Certificate Management

Installation and the Client Side of Certificate Management

Installation and configuration

Certificate management clients

Certificate Management Scenarios

Certificate Management Scenarios

Modern app and TPM virtual smart card

Using support for Non-MIM CM

Multiforest configuration

ADFS configuration

Models at a glance

Reporting

Verifying the SCSM setup

Default reports

The SCSM ETL process

Looking at reports

Modifying reports

Hybrid reporting in Azure

Troubleshooting

Troubleshooting

Operation statistics

A simple data problem

Rule extension debugging and logging

Rule extension logging

MIM service request failures

Debugging a custom activity

Increasing application logging

Password change notification service

Operations and Best Practices

Operations and Best Practices

Expectations versus reality

Automating run profiles

Best practices concepts

Backup and restore

Backing up the synchronization encryption key

Restoring the MIM synchronization DB

Restoring the MIM service DB and portal

Additional backup considerations

Operational health

Database maintenance

SQL best practices

MIM synchronization best practices

MIM portal best practices

Other best practices

Index

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Role-based access control

When we talk about RBAC, the first thing that comes to mind are security groups and the managers or owners of the security groups. Now, in the discussion around role-based access, we also use the term discretionary access control, also known as RBAC. But when we look at RBAC, we typically see a lot of security groups in a one-to-one relationship between the organizations and the security groups. This can be okay and manageable for a small organizations, but as the organization grows, these memberships of the groups become really hard to manage, and also to monitor who has access to what. The following image is a classic depiction of this challenge:

So, how does an organization look at this problem? Most organizations use the MIM Service and Portal, but this only helps in automating processes in the groups; it does not solve the overall problem— it just mitigates it. This is where role-based access with BHOLD comes in. We will also talk about privileged access management...