Transitioning simple on-premises identity (MIM) to cloud-first (Microsoft Entra ID)

The background

A large public sector organization had implemented a solution using Microsoft Identity Manager 2016 (MIM) to manage the identity and access of their volunteer staff (a standalone implementation separate from that used for their employed staff).

Simple on-premises identity management diagram

While the solution worked well, creating and updating accounts, assigning group membership, and managing the identity lifecycle, the organization knew that support for MIM was scheduled to end in January 2029.

A decision was made to move the implementation to Microsoft Entra ID to benefit from:

  • A reduction in the on-premises infrastructure required
  • Easier maintenance and support by adopting a codeless solution
  • An opportunity for the organization to gain valuable knowledge and experience that can later be used to migrate a much larger and more sophisticated deployment of MIM

The challenge

The requirements for managing user accounts for volunteers were straightforward:

  • Create user accounts in Entra ID for each record provided by the cloud-based HR system
  • Assign group membership based on information provided by HR
  • Perform lifecycle updates using information from HR
  • Write a small number of attributes back to HR

Notes: In this case

  • It was not necessary to obtain a unique name for each user account (often a challenge when undertaking this type of migration). The HR system used provided a unique name that could be used as the prefix for a userPrincipalName and renaming was not required
  • The information received from the HR system required minimal and straightforward transformation and did not require the use of reference data to, for example, translate a department code to a name

The solution

Given the uncomplicated nature of the current solution, transitioning it to Microsoft Entra ID was anticipated to be straightforward. This is an example of ‘Scenario 1 – Complete migration to Microsoft Entra ID’ as explained in our comprehensive roadmap for MIM migration.

The main features of the solution were implemented by employing several key capabilities in Microsoft Entra including:

  • API inbound provisioning (for reading from the HR system)
  • Dynamic groups (for management of group membership)
  • On-premises app provisioning (for writing back to the HR system)

These can all be accommodated under a Microsoft Entra ID P1 licence.

Simple cloud-first identity implementation diagram

To allow information from the HR system to be used to create and manage user accounts, a Logic App was developed to read HR data and transform it into a form that could be submitted to the bulkUpload endpoint associated with the API inbound provisioning app.

The required attributes from the HR system were configured using the mappings capability of the API inbound provisioning app. The few attribute transformations needed were configured using the functions available in the expression language; custom attributes in Microsoft Entra ID were created to accommodate mappings for HR attributes that did not logically align with attributes from the default schema.

Group membership, which controlled resource access for volunteers, was assigned using membership rules that referenced values provided by the HR system. Consequently, any change to the details of a volunteer and their level of access were reflected in a timely and consistent manner in Microsoft Entra ID.

At the time of writing, API-driven provisioning still only supports inbound data, so Microsoft has outlined a small number of approaches that are recommended to support the writeback scenario to a system of record such as an HR system:

  1. A custom SCIM application that uses an existing endpoint provided by the system of record
  2. A Microsoft Entra ECMA connector
  3. Lifecycle workflows

As the HR system did not expose a suitable SCIM endpoint and using Lifecycle Workflows required additional licencing, we opted to use one of the ECMA connector types provided for on-premises app provisioning.

The result

The change from a MIM-centric solution to one that is primarily cloud-based using Microsoft Entra ID was straightforward to accomplish, requiring only that MIM’s import, synchronize, and export cycle be turned off and that the corresponding processes (Logic App and API inbound provisioning) in Microsoft Entra be enabled. Groups whose membership was previously assigned by MIM were changed to dynamic groups during a brief period of outage that took place outside normal working hours.

The organization was pleased with the straightforward nature of moving their solution from MIM to Microsoft Entra ID but recognized that their requirements were well-aligned to the core capabilities of several components of Microsoft Entra ID, required little customization, and employed inexpensive licensing.

The server footprint was reduced, from two servers (MIM and SQL Server) to a single server (provisioning agent) with modest memory requirements and lower operational costs. Additionally, as the new solution does not use any custom code, maintenance will be easier, compared with the previous solution, with any future changes undertaken by the organization’s staff.

Next Steps

This project provided the organization with valuable insights into the challenges they will encounter when migrating their primary MIM solution to Microsoft Entra. This MIM implementation aligns with ‘Scenario 2 – Cloud-first Hybrid’ as explained in our comprehensive roadmap for MIM migration.

In addition to using Logic Apps to import HR data into Microsoft Entra, migrating the primary MIM implementation will require a solution like Azure Data Factory to aggregate and transform records from multiple sources of authority before sending them to Microsoft Entra.

Additionally, the lifecycle management for regular users is more complex compared to that for volunteers. Therefore, Microsoft Entra ID Governance licences will be necessary, enabling the organization to leverage Lifecycle Workflow. This will help create a centralized, scalable, and extensible identity management solution enhanced by features such as Logic Apps.

We look forward to assisting the organization with this migration in the future.

Want to know more?

  • Request a MIM Migration Design Workshop. We evaluate your current implementation and cloud-first objectives through a series of meetings and discussions, providing a tailored design specification report for your best migration path from MIM.
  • Explore our collection of insightful articles about migrating your MIM environment.
  • Watch our webinar ‘Transitioning from MIM to Microsoft Entra cloud-first IAM’.