O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Microsoft Identity Manager 2016 Handbook

Book Description

A complete handbook on Microsoft Identity Manager 2016 – from design considerations to operational best practices

About This Book

  • Get to grips with the basics of identity management and get acquainted with the MIM components and functionalities
  • Discover the newly-introduced product features and how they can help your organization
  • A step-by-step guide to enhance your foundational skills in using Microsoft Identity Manager from those who have taught and supported large and small enterprise customers

Who This Book Is For

If you are an architect or a developer who wants to deploy, manage, and operate Microsoft Identity Manager 2016, then this book is for you. This book will also help the technical decision makers who want to improve their knowledge of Microsoft Identity Manager 2016. A basic understanding of Microsoft-based infrastructure using Active Directory is expected. Identity management beginners and experts alike will be able to apply the examples and scenarios to solve real-world customer problems.

What You Will Learn

  • Install MIM components
  • Find out about the MIM synchronization, its configuration settings, and advantages
  • Get to grips with the MIM service capabilities and develop custom activities
  • Use the MIM Portal to provision and manage an account
  • Mitigate access escalation and lateral movement risks using privileged access management
  • Configure client certificate management and its detailed permission model
  • Troubleshoot MIM components by enabling logging and reviewing logs
  • Back up and restore the MIM 2015 configuration
  • Discover more about periodic purging and the coding best practices

In Detail

Microsoft Identity Manager 2016 is Microsoft’s solution to identity management. When fully installed, the product utilizes SQL, SharePoint, IIS, web services, the .NET Framework, and SCSM to name a few, allowing it to be customized to meet nearly every business requirement.

The book is divided into 15 chapters and begins with an overview of the product, what it does, and what it does not do. To better understand the concepts in MIM, we introduce a fictitious company and their problems and goals, then build an identity solutions to fit those goals. Over the course of this book, we cover topics such as MIM installation and configuration, user and group management options, self-service solutions, role-based access control, reducing security threats, and finally operational troubleshooting and best practices.

By the end of this book, you will have gained the necessary skills to deploy, manage and operate Microsoft Identity Manager 2016 to meet your business requirements and solve real-world customer problems.

Style and approach

The concepts in the book are explained and illustrated with the help of screenshots as much as possible. We strive for readability and provide you with step-by-step instructions on the installation, configuration, and operation of the product.

Throughout the book, you will be provided on-the-field knowledge that you won’t get from whitepapers and help files.

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

Table of Contents

  1. Microsoft Identity Manager 2016 Handbook
    1. Table of Contents
    2. Microsoft Identity Manager 2016 Handbook
    3. Credits
    4. About the Authors
    5. About the Reviewers
    6. www.PacktPub.com
      1. eBooks, discount offers, and more
        1. Why subscribe?
        2. Instant updates on new Packt books
    7. Preface
      1. The story in this book
      2. What this book covers
      3. What you need for this book
      4. Who this book is for
      5. Conventions
      6. Reader feedback
      7. Customer support
        1. Downloading the color images of this book
        2. Errata
        3. Piracy
        4. Questions
    8. 1. Overview of Microsoft Identity Manager 2016
      1. The Financial Company
      2. The challenges
        1. Provisioning of users
        2. The identity life cycle procedures
        3. Highly privileged accounts (HPA)
        4. Password management
        5. Traceability
      3. The environment
      4. Moving forward
      5. The history of Microsoft Identity 2016
        1. Components at a glance
      6. MIM Synchronization Service
      7. MIM Portal and Service
      8. MIM Certificate Management
      9. Role-Based Access Control (RBAC) with BHOLD
      10. MIM Reporting
      11. Privilege Access Management
      12. Licensing
      13. Summary
    9. 2. Installation
      1. Capacity planning
      2. eparating roles
        1. Databases
        2. MIM features
      3. Hardware
      4. Installation order
      5. Prerequisites
        1. Databases
          1. Collation and languages
          2. SQL aliases
          3. SQL
          4. SCSM
        2. Web servers
          1. MIM Portal
          2. MIM password reset
          3. MIM Certificate Management
        3. MIM Service accounts and groups
        4. The Kerberos configuration
          1. SETSPN
          2. Delegation
      6. Installation
        1. The MIM Synchronization service
        2. The System Center Service Manager console
        3. SharePoint Foundation
        4. The MIM service and the MIM portal
        5. The MIM Password Reset portal
        6. MIM certificate management
        7. SCSM management
        8. SCSM Data Warehouse
      7. Post-installation configuration
        1. Granting the MIM service access to MIM Sync
        2. Securing the MIM Service mailbox
        3. Disabling indexing in SharePoint
        4. Redirecting to IdentityManagement
        5. Enforcing Kerberos
        6. Editing binding in IIS for MIM Password sites
        7. Registering the SCSM manager in data warehouse
        8. MIM post-install scripts for data warehouse
      8. Summary
    10. 3. MIM Sync Configuration
      1. MIM Synchronization interface
      2. Creating Management Agents
        1. Active Directory
          1. Least-privileged approach
          2. Directory replication
          3. Password reset
          4. Creating AD MA
        2. HR (SQL Server)
          1. Creating an SQL MA
      3. Creating a rules extension
      4. The Metaverse rules extension
        1. Indexing Metaverse attributes
        2. Creating run profiles
          1. Single or multi step
      5. Schema management
        1. MIM Sync versus MIM Service schema
        2. Object deletion in MV
      6. Initial load versus scheduled runs
        1. Maintenance mode for production
          1. Disabling maintenance mode
      7. Summary
    11. 4. MIM Service Configuration
      1. MIM Service request processing
        1. The management policy
        2. Service partitions
        3. Included authentication, authorization, and action activities
          1. Authentication activities
          2. Authorization activities
          3. Action activities
      2. The MIM Service Management Agent
        1. The MIM Service MA
        2. Creating the FIM Service MA
        3. The MIM MA filtering accounts
      3. Understanding the portal and UI
        1. Portal configuration
        2. The navigation bar resource
        3. Search scopes
        4. Filter permissions
        5. Resource Control Display Configurations
        6. Custom activities development
      4. Summary
    12. 5. User Management
      1. Additional sync engine information
      2. Portal MPRs for user management
      3. Configuring sets for user management
      4. Inbound synchronization rules
      5. Outbound synchronization rules
        1. Outbound Synchronization Policy
        2. Outbound System Scoping Filter
        3. Detected Rule Entry
      6. Provisioning
        1. Non-declarative provisioning
      7. Managing users in a phone system
      8. Managing users in Active Directory
        1. The userAccountControl attribute
        2. Provisioning users to Active Directory
          1. Synchronization rule
          2. Creating the set
          3. Setting up the workflow
          4. Creating the MPR
        3. Inbound synchronization from AD
      9. Temporal sets
      10. Self-service using MIM Portal
        1. Managers can see direct reports
        2. Allowing users to manage their own attributes
      11. Managing Exchange
        1. Exchange 2007
        2. Exchange 2010 and later
        3. Synchronization rules for Exchange
          1. Mailbox users
          2. Mail-enabled users
      12. More considerations
      13. Summary
    13. 6. Group Management
      1. Group scope and types
        1. Active Directory
        2. Group scope and type in MIM
          1. Type
          2. Scope
          3. Member selection
            1. Manual groups
            2. Manager-based groups
            3. Criteria-based groups
      2. Modifying MPRs for group management
      3. Managing groups in AD
        1. Security and distribution groups
          1. Synchronization rule
      4. Installing client add-ins
        1. Add-ins and extensions
      5. Creating and managing distribution groups
      6. Summary
    14. 7. Role-Based Access Control with BHOLD
      1. Role-based access control
        1. BHOLD role model objects
          1. Organizational units
          2. Users
          3. Roles
          4. Permissions
          5. Applications
          6. Other advanced features
      2. Installation
        1. BHOLD Core and other components
        2. MIM/FIM Integration install
        3. Patching
      3. Access Management Connector
        1. Creating the ODBC connection file
        2. Creating the generic SQL connector for the BHOLD orgunit
        3. Creating run profiles
        4. Creating a BHOLD connector and sync rules
      4. MIM/FIM Integration
      5. Attestation
      6. Reporting
      7. Summary
    15. 8. Reducing Threats with PAM
      1. Why deploy PAM?
      2. PAM components
      3. How does it work?
      4. System requirements
      5. Considerations
      6. Our scenario
        1. Preparing TFC
        2. Preparing PRIV
        3. Preparing the PAM server
      7. Installing PAM
        1. Installing PAM PowerShell cmdlets
        2. DNS, trust, and permissions
        3. Privileged groups, users, and roles
      8. User experience
      9. PAM in the MIM service
      10. The sample PAM portal
      11. Multi-factor authentication
      12. Summary
    16. 9. Password Management
      1. SSPR background
        1. QA versus OTP
      2. Installing self-service password reset
      3. Enabling password management in AD
      4. Allowing MIM Service to set passwords
      5. Configuring MIM Service
        1. Password Reset Users Set
        2. Password Reset AuthN workflow
        3. Configuring the QA gate
        4. The OTP gate
        5. The Phone gate
        6. Require re-registration
        7. SSPR MPRs
      6. The SSPR user experience
      7. SSPR lockout
      8. Password synchronization
      9. Password Change Notification Service
      10. Summary
    17. 10. Overview of Certificate Management
      1. What is certificate management?
      2. Certificate management components
      3. Certificate management agents
      4. The certificate management permission model
        1. Creating service accounts
        2. Service Connection Point
        3. The Active Directory extended permissions
        4. The certificate templates permission
        5. The profile template permission
        6. The management policy permission
          1. The software management policy
          2. The smart card management policy
      5. Summary
    18. 11. Installation and the Client Side of Certificate Management
      1. Installation and configuration
        1. Extending the schema
        2. The configuration wizard
          1. Creating certificate templates for MIM CM service accounts
            1. The MIM CM User Agent certificate template
            2. The MIM CM Enrollment Agent certificate template
            3. The MIM CM Key Recovery Agent certificate template
            4. Enabling the templates
          2. Require SSL on the CM portal
          3. Kerberos… oh, what a world!
        3. Running the wizard
        4. Backup certificates
        5. Rerunning the wizard
          1. The accounts
          2. The database
        6. Configuring the MIM CM Update service
        7. Database permissions
        8. Configuring the CA
          1. Installing the MIM CM CA files
          2. Configuring the Policy Module
      2. Certificate management clients
        1. Installing the MIM CM client
        2. Modern App deployment and configuration
          1. Configuration and deployment
      3. Summary
    19. 12. Certificate Management Scenarios
      1. Modern app and TPM virtual smart card
        1. Creating a certificate template
        2. Creating the profile
        3. Testing the scenario
      2. Using support for Non-MIM CM
        1. Creating the software certificate
        2. Creating the profile
        3. Testing the scenario
      3. Multiforest configuration
        1. Step 1 – CM DNS setup
        2. Step 2 – CM domain trust and configuration
        3. Step 3 – CM forest configuration
        4. Step 4 – CM enrollment configuration
      4. ADFS configuration
        1. Step 1 – the CM installation and prerequisites
        2. Step 2 – the configuration wizard
        3. Step 3 – continued configuration
        4. Step 4 – the final test
      5. Models at a glance
        1. The centralized management model
        2. The self-service model
        3. The manager-initiated model
      6. Summary
    20. 13. Reporting
      1. Verifying the SCSM setup
        1. Synchronizing data from MIM to SCSM
      2. Default reports
      3. The SCSM ETL process
      4. Looking at reports
        1. Allowing users to read reports
      5. Modifying reports
      6. Hybrid reporting in Azure
      7. Summary
    21. 14. Troubleshooting
      1. The basics
      2. Operation statistics
      3. A simple data problem
      4. Rule extension debugging and logging
      5. Rule extension logging
      6. MIM service request failures
      7. Debugging a custom activity
      8. Increasing application logging
      9. Password change notification service
      10. Summary
    22. 15. Operations and Best Practices
      1. Expectations versus reality
      2. Automating run profiles
      3. Best practices concepts
      4. Backup and restore
      5. Backing up the synchronization encryption key
      6. Restoring the MIM synchronization DB
      7. Restoring the MIM service DB and portal
      8. Additional backup considerations
      9. Operational health
      10. Database maintenance
      11. SQL best practices
      12. MIM synchronization best practices
      13. MIM portal best practices
      14. Other best practices
      15. Summary
    23. Index