lundi 31 août 2015

[MIM] Welcome to Microsoft Identity Manager 2016

Microsoft recently release quietly the successor of Forefront Identity Manager 2010 R2, named Microsoft Identity Manager 2016 (I wonder why 2016), with the following enhancements:

I/ Hybrid scenario with the cloud

It's now possible to integrate the reports on the Azure management portal, with an Azure AD Premium subscription we could retrieve all the activity of MIM on the Azure AD reports in addition of the default ones.

For example the events related to the self-service password reset, will be located on the Azure AD reports tab Password Reset Activity Report. For more information about this you could read the dedicated article.

The self-service portal could also use a second factor authentication mechanism provided by Azure multi-factor authentication (MFA).


II/ Privileged Identity Management

In order to protect the high privileged accounts of Active Directory like:
  • Account Operators
  • Administrators
  • Backup Operators
  • Cert Publishers
  • Domain Admins
  • Enterprise Admins
  • Group Policy Creator Owners
  • Schema Admins
  • Server Operators
A bastion like infrastructure is commonly used, it's possible to add the Privileged Access Management (PAM) functionality in order to harden more these accounts, through mechanism like Just In Time (JIT) and Privileged Identity Management (PIM).

With all of this on normal behavior these groups are empty and populated on demand when required. And the membership is time limited (with a theoretical minimum of 5 minutes) which also impact the Kerberos token (taking in account the most constraining time).

The workflow in order to approve the right escalation is depending of some criteria like the authentication, being member of a particular MIM role, using a second factor like MFA, or a manual validation. It's then possible while creating different roles to setup granular conditions and to add manual validation for each access request.

The managed forest must be at least in 2003 functional level (take care of the end of life of 2003 ;)), but the administrative / bastion forest hosting MIM must be on 2012 R2 or upper functional level. Only an unidirectional forest trust have to be in place between both forest.

After implementing the PAM feature of MIM, the “protected” groups are monitored. When an user will try to be a member of one of these groups without being authorized, an alert will be raised on the event log on the administrative forest, this event could also be forwarded to a SIEM.

Some PowerShell cmdlets appeared in order to manage this module, in order to list them we could use the Get-Command -Module MIMPAM cmdlet.

Finally some new REST API could be used in order to integrate PAM with existing tools already in place in the corporate network, and why not create our own portal which communicate to MIM through PowerShell with exposed SOAP API, a sample of a portal is also available.


III/ Certificate manager

Certificate manager bring the management of virtual smartcard appeared with Windows 8.x. A new ModernUI application is available and to free from the command lines, with a better management of the TPM initialization, and certificate management.

All of this is possible with the REST API provided by the server in order to handle the following scenarios:
  • Create a Virtual Smart Card
  • Request a software certificate
  • Request a certificate with a generated key pair from MIM (PFX)
  • Request a certificate for an existing Virtual Smart Card
  • Recovery of a deleted certificate
  • Read the detailed information of a certificate (Issuer, Thumbprint, etc...)

At least the administrative portal of Certificate manager has been updated with new performance counter, new log events and private life management with a link related to the privacy info directly on the application.


IV/ Password self-service portal

When changing a password sometimes some applications use the old one stored in the cache in order to authenticate (like Outlook for example), which lock the user account. A new feature named self-service account unlock (SSAU) expand the password self-service portal. Indeed after validation of the user through a MFA OTP for example, it's possible to separate the account unlock to the password reset.


V/ Prerequisite

The prerequisites are also updated to the last supported technologies.


V.1) Servers side

The required minimum OS level are:
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2


V.2) EndPoint side

The MIM agent support:
  • Microsoft Windows 7
  • Microsoft Windows8.1
  • Microsoft Outlook 2007 SP2
  • Microsoft Outlook 2010
  • Microsoft Outlook 2013
  • Internet Explorer 8 and upper
Strangely it seems that the Windows 10 support and the Microsoft Edge one are missing. I hope so that it will be the case soon.
[UPDATE]: Microsoft announce the Windows 10 support.

V.3) Miscellaneous

It's possible to deploy the MIM databases on:
  • Microsoft SQL Server 2008 R2 x64
  • Microsoft SQL Server 2012
  • Microsoft SQL Server 2014
But today no announcement is available regarding high availability mechanism like AlwaysOn for example.

The workflows could use the following version for the e-mail:
  • Microsoft Exchange Server 2007
  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2013
For the portal side:
  • SharePoint Foundation 2013 with SP1
The Service manager support is also announced, but I need to dig more about it:
  • System Center Service Manager 2012 
  • System Center Service Manager 2012 R2


VI/ Resources

For more information: MIM 2016 dedicated website, and take care of the deprecated functionalities.

MIM is available for download at:
In order to go deeper:
More information about the deployment ;) :
Additional information about Privileged Identity management and MIM Certificate Manager.

Aucun commentaire:

Enregistrer un commentaire