Microsoft recently release quietly the successor of Forefront Identity Manager 2010 R2, named Microsoft Identity Manager 2016 (I wonder why 2016), with the following enhancements:
I/ Hybrid scenario with the cloudAzure AD Premium subscription we could retrieve all the activity of MIM on the Azure AD reports in addition of the default ones.
For example the events related to the self-service password reset, will be located on the Azure AD reports tab Password Reset Activity Report. For more information about this you could read the dedicated article.
The self-service portal could also use a second factor authentication mechanism provided by Azure multi-factor authentication (MFA).
II/ Privileged Identity ManagementIn order to protect the high privileged accounts of Active Directory like:
- Account Operators
- Backup Operators
- Cert Publishers
- Domain Admins
- Enterprise Admins
- Group Policy Creator Owners
- Schema Admins
- Server Operators
With all of this on normal behavior these groups are empty and populated on demand when required. And the membership is time limited (with a theoretical minimum of 5 minutes) which also impact the Kerberos token (taking in account the most constraining time).
The workflow in order to approve the right escalation is depending of some criteria like the authentication, being member of a particular MIM role, using a second factor like MFA, or a manual validation. It's then possible while creating different roles to setup granular conditions and to add manual validation for each access request.
The managed forest must be at least in 2003 functional level (take care of the end of life of 2003 ;)), but the administrative / bastion forest hosting MIM must be on 2012 R2 or upper functional level. Only an unidirectional forest trust have to be in place between both forest.
Some PowerShell cmdlets appeared in order to manage this module, in order to list them we could use the Get-Command -Module MIMPAM cmdlet.
Finally some new REST API could be used in order to integrate PAM with existing tools already in place in the corporate network, and why not create our own portal which communicate to MIM through PowerShell with exposed SOAP API, a sample of a portal is also available.
III/ Certificate manager
All of this is possible with the REST API provided by the server in order to handle the following scenarios:
- Create a Virtual Smart Card
- Request a software certificate
- Request a certificate with a generated key pair from MIM (PFX)
- Request a certificate for an existing Virtual Smart Card
- Recovery of a deleted certificate
- Read the detailed information of a certificate (Issuer, Thumbprint, etc...)
At least the administrative portal of Certificate manager has been updated with new performance counter, new log events and private life management with a link related to the privacy info directly on the application.
IV/ Password self-service portal
V/ PrerequisiteThe prerequisites are also updated to the last supported technologies.
V.1) Servers sideThe required minimum OS level are:
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
V.2) EndPoint sideThe MIM agent support:
- Microsoft Windows 7
- Microsoft Windows8.1
- Microsoft Outlook 2007 SP2
- Microsoft Outlook 2010
- Microsoft Outlook 2013
- Internet Explorer 8 and upper
[UPDATE]: Microsoft announce the Windows 10 support.
V.3) MiscellaneousIt's possible to deploy the MIM databases on:
- Microsoft SQL Server 2008 R2 x64
- Microsoft SQL Server 2012
- Microsoft SQL Server 2014
The workflows could use the following version for the e-mail:
- Microsoft Exchange Server 2007
- Microsoft Exchange Server 2010
- Microsoft Exchange Server 2013
- SharePoint Foundation 2013 with SP1
- System Center Service Manager 2012
- System Center Service Manager 2012 R2
VI/ ResourcesFor more information: MIM 2016 dedicated website, and take care of the deprecated functionalities.
MIM is available for download at:
Privileged Identity management and MIM Certificate Manager.