Maintaining, securing and migrating from MIM: our top tips
Microsoft Identity Manager (MIM) won’t be around for ever. But, in the meantime, it’s still doing an important job for many of our customers. Are you getting the best out of it now? Is your implementation secure? Is it enabling the cloud? Are you well positioned for the future?
As we roll out the ever-expanding capabilities of Entra, MIM still has a key role to play in Microsoft’s identity and access management strategy. Much of the MIM Portal functionality (such as group management and password management) can be migrated to Entra with considerable benefits. But the MIM Synchronization Service is still important for supporting legacy applications. It also enables Entra by providing authoritative identity data that is only available on-premises. Indeed, there are even circumstances where it still makes sense to put in a brand new MIM implementation.
There are two key questions. When is the right time to migrate some or all MIM functionality to the cloud? How do we keep MIM reliable and secure in the meantime?
At Oxford Computer Group, we believe that if you are running a MIM implementation, you should take a good, hard look at it:
- Examine the current configuration
- Make any necessary remedial steps so that there are no surprises
- Take any additional steps to increase efficiency
- Define options for the future
In short, we think that you need to ensure you are future-proofed.
Of course, we would love to help you with that. For example, we run MIM planning workshops which involve reviewing an organization’s current set-up and making recommendations about short- and longer-term priorities.
But, in this blog, I share a few thoughts to help you get the best from MIM and to prepare for the future. I cover a couple of upgrade issues, some important security advisories, and then move on to some ideas for enabling your cloud journey (either by using MIM, or by moving away from it).
Here are our top tips for maintaining, securing and migrating from MIM…
Quick links: Keeping your system up to date | Securing your environment | Enabling your cloud journey | Working with Azure synchronization services | Improving reporting | Consolidating around the synchronization service
Keeping your system up to date
Still running FIM?
If you haven’t already upgraded from FIM to MIM, you really should do so! Even if there are no new MIM features you wish to employ, it is important to use the latest platform and software to ensure security, compliance and supportability.
There may be a certain amount of reluctance to upgrade FIM, especially if it seems to be running just fine. Perhaps there is a fear of breaking something during an upgrade, or it’s too much hassle – or can anyone even remember how it works?
But what if something goes wrong? FIM is likely to be running on older platforms and software which are unsupported and not receiving security updates. Can your organization afford the risk of running on legacy software with security holes? So, pre-empt a headache for your security team and let your SQL DBAs off from managing old versions – and upgrade!
And remember, we are here to support you if required.
If you already have MIM, is it running a recent version?
Using the latest software means improved security and (at the time of writing) MIM SP2 supports up to Windows Server 2022, SQL Server 2019 etc. Recent hotfixes not only include new features, performance improvements and bug fixes, but security fixes too, for example:
- Adding defence against XSS (cross-site scripting) to the MIM Portal causing it to return a Content-Security-Policy and blocking unwanted URL components
- Fixing an issue with Kerberos authentication by enabling 3-part SPN authentication for LDAP connections for components and workflows in both the MIM Service, and MIM PAM
Securing your environment
Move away from basic authentication
After many delays, Microsoft is removing basic authentication in Exchange Online. To continue using MIM with Exchange Online (or if you want to move to Exchange Online, from an on-premises Exchange environment or SMTP relay, for example), MIM must be configured to use modern authentication or it will simply stop working. This includes the MIM Service, but it may also include scripts that are run to send e-mails or configure mailboxes.
For the MIM Service to connect to Exchange Online with modern authentication, it needs to use application context authentication. This requires an application to be registered in Azure and granted the required permissions. The MIM Service will then use the application ID and secret to access its mailbox in Exchange Online.
Tighten-up usage of scripts
In many MIM implementations, PowerShell scripts are run to perform actions directly against either Azure AD or Exchange Online. For example, a MIM Service workflow may run a script to immediately disable an account and revoke its refresh token, preventing the user from logging in. Another example is configuring settings against a user’s mailbox in Exchange Online to set various policies (for example, enabling archiving or disabling OWA access). For greater security, these scripts should use certificate authentication which are supported by both Microsoft Graph, and Exchange Online V2 & V3 PowerShell modules.
If you aren’t already using these modules, you should update your scripts to use them as soon as possible. This is because the Azure AD module and the Remote PowerShell (RPS) protocol (which is used by the Exchange Online V1 and V2 PowerShell modules) are scheduled to be deprecated in June 2023.
Implement TLS 1.2 only
From MIM Service Pack 2 (SP2) MIM can be installed and used in a TLS 1.2 only environment. TLS 1.0 and TLS 1.1 (and its predecessor SSL) have proven to be vulnerable to attack. All modern browsers require TLS 1.2 with the majority of websites supporting this, but there may be other traffic in your internal network using TLS 1.2. For MIM this will typically be communication between:
- MIM Portal and end users
- MIM Service or MIM Synchronization Service and SQL Server
For enhanced security, many organizations have (very wisely) introduced policies specifying that the older protocols must be disabled.
Use Group Managed Service Accounts
Let’s assume that you regularly change the passwords of your MIM service accounts and management agents. 😉
To avoid having to manually change the MIM Service and MIM Synchronization Service service account passwords on a regular basis, MIM now supports Group Managed Service Accounts (gMSAs). This means password management will be handled by Windows (with all instances of the password being changed in a high availability setup).
Account passwords which are used by management agents to connect to external systems will still need to be updated manually.
Enabling your cloud journey
Manage Azure AD user licensing
For simple user licensing requirements where premium P1 licenses are available, all the licensing can be performed within Azure AD. If the licensing requirements are more complicated, or you don’t have premium licenses, MIM can help in one of two ways:
- If groups can be managed by MIM, either directly in Azure AD or via AD (with Azure AD Connect), then premium Azure AD licenses are not required. This is because, from an Azure point of view, the membership type will be “Assigned”, but the groups can still be used for license assignment.
- If the attribute values required for assigning licenses aren’t available in Azure AD, but are available in MIM, then MIM can be configured to set a suitable attribute on each user object – for example, ExtensionAttribute1. Dynamic user groups can then be created in Azure AD based on the attribute value.
Improve self-service password reset (SSPR)
One of the great features that first arrived with FIM, and which was later enhanced in MIM, was SSPR. But Azure AD SSPR is usually a better bet for those with Azure AD premium licenses. It offers both a web-based, and a Windows-integrated experience for users to reset their own password. Using Azure AD SSPR allows on-premises servers to be retired, and reduces management overhead.
If you are using Azure AD Multi-Factor Authentication Server with MIM SSPR then you will need to make a change, as it has been deprecated and is currently scheduled to stop serving MFA requests in September 2024. There are two options – either to use Azure AD SSPR, or to use MIM with a custom provider for one-time passwords (OTPs).
Migrate group management
Self-service and delegated group management are useful features in MIM allowing users to manage their own groups, and reducing reliance on the service desk or IT team to manage them. Much of this functionality is now available in Azure AD in a user-friendly interface.
When enabled, authorized users can create and manage Security and Microsoft 365 Groups. These groups can be configured to require owner approval (with business justification), be open for any users to join, or be restricted so that only the owner can add members. And there are some neat out-of-the-box features, such as blocked words for group names, and group naming policy allowing prefixes and suffixes to be automatically added to the group name. To limit group sprawl, groups can be set to expire if the owner doesn’t renew them.
Another feature of MIM which is also available in Azure AD (with premium licenses) is dynamic groups. These can be configured to include users, or devices as members. Similar to MIM, there is a rule builder, and an option to validate the rules (like the Preview button in MIM).
The rule builder allows custom application extension properties to be included in the rule, and advanced rules can be entered directly, so no more Advanced view in MIM and manually editing XML. Group validation allows the rule to be tested on a subset of users, and shows whether each user would be in the group or not.
A feature that has been missing from MIM which is now part of all Azure AD group management is the ability to perform access reviews. These reviews enable managers or group owners to certify the membership of groups
Use MFA and conditional access for the MIM Portal
Are you using the MIM Portal for administrative tasks? Are your admins or service desk using their normal account rather than an admin account? If the answer is yes, then you should consider securing the MIM Portal with Azure MFA by publishing the MIM Portal through the Azure App Proxy.
This can force all users, or just those in an administrative role, to login with MFA thus helping to secure the MIM Portal. This can be combined with conditional access policies within Azure AD to monitor and react to risky sign-ins.
Working with Azure synchronization services
For most SaaS applications, user provisioning via the Azure AD Provisioning Service is the way to go, but MIM can still play a part in getting your identity data ready – for example:
- By constructing attribute values from data only MIM knows about (as they aren’t synced to Azure AD) which the Azure AD provisioning service can then use
- By end-users requesting access to applications through the MIM Portal, which then sets attributes which are the trigger for the Azure AD provisioning service to create an account in that application
If you are planning to integrate a new on-premises application that uses SQL or LDAP, you could use MIM or the ECMA Connector Host (from Azure AD). The ECMA Connector Host employs the same generic SQL and generic LDAP ECMA2 connectors that MIM uses, but synchronization and business rules (e.g., attribute flows and provisioning rules) are managed and run from Azure AD rather than MIM.
Installing hybrid reporting in MIM makes three reports available in Azure AD:
- Password reset activity
- Password reset registration
- Self-service groups activity
What if you need to report on something else? There are many approaches. MIM has its own reporting capability, but it requires hefty resources to work correctly, and staff with SCSM and SQL Reporting skills. At this point in the MIM story it is hard for us to recommend it! Of course, home-grown solutions are possible, and you could enable the on-premises part of MIM hybrid reporting, which will write requests to the Windows event log (from where data can be accessed by an application such as Splunk).
We have been doing a lot of work with SoftwareIDM’s Identity Panel Suite, and we really like it. In fact, we think it is a game-changer. It offers some very clever ways of displaying both configuration and identity data – and it has a comprehensive reporting engine (amongst many other features). But that is a whole other discussion!
Consolidating around the Synchronization Service
First, we had the Synchronization Service – the Portal came later. Now perhaps we are reverting to just the Synchronization Service because the functionality of the MIM Portal can be largely replaced by Entra (Azure AD), while the Synchronization Service still has an ongoing purpose. And this makes even more sense when you consider that the MIM Synchronization Service licence is included in the Windows server licence, while the Portal requires additional licence costs (CALs).
Any questions? We’re here to help!
Oxford Computer Group UK is part of an international family of companies that has been helping organizations with identity management across the world for more than two decades.
- Our knowledge of MIM is unparalleled – but our expertise extends throughout the Microsoft identity stack, including Entra.
- Our consultants have many decades of Microsoft identity management experience, and offer a safe and expert pair of hands to organizations from all industry sectors.
- Our directors were commissioned by Microsoft to write the training courses for MIM – and the latest versions of these are available from our sister company Oxford Computer Training along with staff mentoring and ad hoc support services.