Microsoft Identity Manager 2016 Handbook

Book Image

Microsoft Identity Manager 2016 Handbook

By : David Steadman, Jeff Ingalls

Book Image

Microsoft Identity Manager 2016 Handbook

By: David Steadman, Jeff Ingalls

Overview of this book

Microsoft Identity Manager 2016 is Microsoft’s solution to identity management. When fully installed, the product utilizes SQL, SharePoint, IIS, web services, the .NET Framework, and SCSM to name a few, allowing it to be customized to meet nearly every business requirement. The book is divided into 15 chapters and begins with an overview of the product, what it does, and what it does not do. To better understand the concepts in MIM, we introduce a fictitious company and their problems and goals, then build an identity solutions to fit those goals. Over the course of this book, we cover topics such as MIM installation and configuration, user and group management options, self-service solutions, role-based access control, reducing security threats, and finally operational troubleshooting and best practices. By the end of this book, you will have gained the necessary skills to deploy, manage and operate Microsoft Identity Manager 2016 to meet your business requirements and solve real-world customer problems.

Microsoft Identity Manager 2016 Handbook

Microsoft Identity Manager 2016 Handbook

Credits

About the Authors

About the Authors

About the Reviewers

About the Reviewers

www.PacktPub.com

www.PacktPub.com

Preface

Free Chapter

Overview of Microsoft Identity Manager 2016

Overview of Microsoft Identity Manager 2016

The Financial Company

The environment

The history of Microsoft Identity 2016

MIM Synchronization Service

MIM Portal and Service

MIM Certificate Management

Role-Based Access Control (RBAC) with BHOLD

Privilege Access Management

Installation

Capacity planning

eparating roles

Installation order

Post-installation configuration

MIM Sync Configuration

MIM Sync Configuration

MIM Synchronization interface

Creating Management Agents

Creating a rules extension

The Metaverse rules extension

Schema management

Initial load versus scheduled runs

MIM Service Configuration

MIM Service Configuration

MIM Service request processing

The MIM Service Management Agent

Understanding the portal and UI

User Management

User Management

Additional sync engine information

Portal MPRs for user management

Configuring sets for user management

Inbound synchronization rules

Outbound synchronization rules

Managing users in a phone system

Managing users in Active Directory

Self-service using MIM Portal

Managing Exchange

More considerations

Group Management

Group Management

Group scope and types

Modifying MPRs for group management

Managing groups in AD

Installing client add-ins

Creating and managing distribution groups

Role-Based Access Control with BHOLD

Role-Based Access Control with BHOLD

Role-based access control

Access Management Connector

MIM/FIM Integration

Reducing Threats with PAM

Reducing Threats with PAM

Why deploy PAM?

How does it work?

System requirements

User experience

PAM in the MIM service

The sample PAM portal

Multi-factor authentication

Password Management

Password Management

SSPR background

Installing self-service password reset

Enabling password management in AD

Allowing MIM Service to set passwords

Configuring MIM Service

The SSPR user experience

Password synchronization

Password Change Notification Service

Overview of Certificate Management

Overview of Certificate Management

What is certificate management?

Certificate management components

Certificate management agents

The certificate management permission model

Installation and the Client Side of Certificate Management

Installation and the Client Side of Certificate Management

Installation and configuration

Certificate management clients

Certificate Management Scenarios

Certificate Management Scenarios

Modern app and TPM virtual smart card

Using support for Non-MIM CM

Multiforest configuration

ADFS configuration

Models at a glance

Reporting

Verifying the SCSM setup

Default reports

The SCSM ETL process

Looking at reports

Modifying reports

Hybrid reporting in Azure

Troubleshooting

Troubleshooting

Operation statistics

A simple data problem

Rule extension debugging and logging

Rule extension logging

MIM service request failures

Debugging a custom activity

Increasing application logging

Password change notification service

Operations and Best Practices

Operations and Best Practices

Expectations versus reality

Automating run profiles

Best practices concepts

Backup and restore

Backing up the synchronization encryption key

Restoring the MIM synchronization DB

Restoring the MIM service DB and portal

Additional backup considerations

Operational health

Database maintenance

SQL best practices

MIM synchronization best practices

MIM portal best practices

Other best practices

Index

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Configuring MIM Service

SSPR is not enabled by default in MIM Service, so we need to enable some MPRs and configure some sets and workflows. The next section will outline what is needed to get this working.

Password Reset Users Set

The default MPRs around SSPR use a predefined set called Password Reset Users Set. If you look at the criterion for that set, you will find that it applies to all users:

Allowing SSPR for all users is usually more extreme than most organizations allow. In our situation, we will allow SSPR for all employees:

We have now defined users for whom we would like to use the SSPR feature.

Password Reset AuthN workflow

As we discussed earlier, we need to have at least one authentication workflow in our SSPR implementation. The default one is called Password Reset AuthN Workflow. The default activity used in this workflow to authenticate the users is the QA gate:

There are also some activities to support the SSPR feature; we will look at those now:

The Password Authentication Challenge...