book

Microsoft Identity Manager 2016 Handbook

Name: Microsoft Identity Manager 2016 Handbook
ISBN: 9781785283925

by David Steadman, Jeff Ingalls

July 2016

Beginner

692 pages

13h 57m

English

Packt Publishing

Read now

Unlock full access

Microsoft Identity Manager 2016 Handbook
Table of Contents
Microsoft Identity Manager 2016 Handbook
Credits
About the Authors
About the Reviewers
www.PacktPub.com
eBooks, discount offers, and moreWhy subscribe?Instant updates on new Packt books
Preface
The story in this book
What this book covers
What you need for this book

Who this book is for
Conventions
Reader feedback
Customer support
Downloading the color images of this bookErrataPiracyQuestions
1. Overview of Microsoft Identity Manager 2016
The Financial Company
The challenges
Provisioning of usersThe identity life cycle proceduresHighly privileged accounts (HPA)Password managementTraceability
The environment
Moving forward
The history of Microsoft Identity 2016
Components at a glance
MIM Synchronization Service
MIM Portal and Service
MIM Certificate Management
Role-Based Access Control (RBAC) with BHOLD
MIM Reporting
Privilege Access Management
Licensing
Summary
2. Installation
Capacity planning
eparating roles
DatabasesMIM features
Hardware
Installation order
Prerequisites
DatabasesCollation and languagesSQL aliasesSQLSCSMWeb serversMIM PortalMIM password resetMIM Certificate ManagementMIM Service accounts and groupsThe Kerberos configurationSETSPNDelegation
Installation
The MIM Synchronization serviceThe System Center Service Manager consoleSharePoint FoundationThe MIM service and the MIM portalThe MIM Password Reset portalMIM certificate managementSCSM managementSCSM Data Warehouse
Post-installation configuration
Granting the MIM service access to MIM SyncSecuring the MIM Service mailboxDisabling indexing in SharePointRedirecting to IdentityManagementEnforcing KerberosEditing binding in IIS for MIM Password sitesRegistering the SCSM manager in data warehouseMIM post-install scripts for data warehouse
Summary
3. MIM Sync Configuration
MIM Synchronization interface
Creating Management Agents
Active DirectoryLeast-privileged approachDirectory replicationPassword resetCreating AD MAHR (SQL Server)Creating an SQL MA
Creating a rules extension
The Metaverse rules extension
Indexing Metaverse attributesCreating run profilesSingle or multi step
Schema management
MIM Sync versus MIM Service schemaObject deletion in MV
Initial load versus scheduled runs
Maintenance mode for productionDisabling maintenance mode
Summary
4. MIM Service Configuration
MIM Service request processingThe management policyService partitionsIncluded authentication, authorization, and action activitiesAuthentication activitiesAuthorization activitiesAction activities
The MIM Service Management Agent
The MIM Service MACreating the FIM Service MAThe MIM MA filtering accounts
Understanding the portal and UI
Portal configurationThe navigation bar resourceSearch scopesFilter permissionsResource Control Display ConfigurationsCustom activities development
Summary
5. User Management
Additional sync engine information
Portal MPRs for user management
Configuring sets for user management
Inbound synchronization rules
Outbound synchronization rules
Outbound Synchronization PolicyOutbound System Scoping FilterDetected Rule Entry
Provisioning
Non-declarative provisioning
Managing users in a phone system
Managing users in Active Directory
The userAccountControl attributeProvisioning users to Active DirectorySynchronization ruleCreating the setSetting up the workflowCreating the MPRInbound synchronization from AD
Temporal sets
Self-service using MIM Portal
Managers can see direct reportsAllowing users to manage their own attributes
Managing Exchange
Exchange 2007Exchange 2010 and laterSynchronization rules for ExchangeMailbox usersMail-enabled users
More considerations
Summary
6. Group Management
Group scope and typesActive DirectoryGroup scope and type in MIMTypeScopeMember selectionManual groupsManager-based groupsCriteria-based groups
Modifying MPRs for group management
Managing groups in AD
Security and distribution groupsSynchronization rule
Installing client add-ins
Add-ins and extensions
Creating and managing distribution groups
Summary
7. Role-Based Access Control with BHOLD
Role-based access controlBHOLD role model objectsOrganizational unitsUsersRolesPermissionsApplicationsOther advanced features
Installation
BHOLD Core and other componentsMIM/FIM Integration installPatching
Access Management Connector
Creating the ODBC connection fileCreating the generic SQL connector for the BHOLD orgunitCreating run profilesCreating a BHOLD connector and sync rules
MIM/FIM Integration
Attestation
Reporting
Summary
8. Reducing Threats with PAM
Why deploy PAM?
PAM components
How does it work?
System requirements
Considerations
Our scenario
Preparing TFCPreparing PRIVPreparing the PAM server
Installing PAM
Installing PAM PowerShell cmdletsDNS, trust, and permissionsPrivileged groups, users, and roles
User experience
PAM in the MIM service
The sample PAM portal
Multi-factor authentication
Summary
9. Password Management
SSPR backgroundQA versus OTP
Installing self-service password reset
Enabling password management in AD
Allowing MIM Service to set passwords
Configuring MIM Service
Password Reset Users SetPassword Reset AuthN workflowConfiguring the QA gateThe OTP gateThe Phone gateRequire re-registrationSSPR MPRs
The SSPR user experience
SSPR lockout
Password synchronization
Password Change Notification Service
Summary
10. Overview of Certificate Management
What is certificate management?
Certificate management components
Certificate management agents
The certificate management permission model
Creating service accountsService Connection PointThe Active Directory extended permissionsThe certificate templates permissionThe profile template permissionThe management policy permissionThe software management policyThe smart card management policy
Summary
11. Installation and the Client Side of Certificate Management
Installation and configurationExtending the schemaThe configuration wizardCreating certificate templates for MIM CM service accountsThe MIM CM User Agent certificate templateThe MIM CM Enrollment Agent certificate templateThe MIM CM Key Recovery Agent certificate templateEnabling the templatesRequire SSL on the CM portalKerberos… oh, what a world!Running the wizardBackup certificatesRerunning the wizardThe accountsThe databaseConfiguring the MIM CM Update serviceDatabase permissionsConfiguring the CAInstalling the MIM CM CA filesConfiguring the Policy Module
Certificate management clients
Installing the MIM CM clientModern App deployment and configurationConfiguration and deployment
Summary
12. Certificate Management Scenarios
Modern app and TPM virtual smart cardCreating a certificate templateCreating the profileTesting the scenario
Using support for Non-MIM CM
Creating the software certificateCreating the profileTesting the scenario
Multiforest configuration
Step 1 – CM DNS setupStep 2 – CM domain trust and configurationStep 3 – CM forest configurationStep 4 – CM enrollment configuration
ADFS configuration
Step 1 – the CM installation and prerequisitesStep 2 – the configuration wizardStep 3 – continued configurationStep 4 – the final test
Models at a glance
The centralized management modelThe self-service modelThe manager-initiated model
Summary
13. Reporting
Verifying the SCSM setupSynchronizing data from MIM to SCSM
Default reports
The SCSM ETL process
Looking at reports
Allowing users to read reports
Modifying reports
Hybrid reporting in Azure
Summary
14. Troubleshooting
The basics
Operation statistics
A simple data problem
Rule extension debugging and logging
Rule extension logging
MIM service request failures
Debugging a custom activity
Increasing application logging
Password change notification service
Summary
15. Operations and Best Practices
Expectations versus reality
Automating run profiles
Best practices concepts
Backup and restore
Backing up the synchronization encryption key
Restoring the MIM synchronization DB
Restoring the MIM service DB and portal
Additional backup considerations
Operational health
Database maintenance
SQL best practices
MIM synchronization best practices
MIM portal best practices
Other best practices
Summary
Index

Content preview from Microsoft Identity Manager 2016 Handbook

Multiforest configuration

We will now discuss the new multiforest CM capabilities. Multiforest CM enables an enterprise to issue certs to users from another forest that is trusted by TFC. The Financial Company is bringing on a new UK domain called TFCUK.LOCAL, which only hosts users. The UK group plans to use CM in the future, but it needs to issue certs immediately.

First, we will verify that our requirements are working properly, such as DNS and the trust; then, we will extend the schema.

Step 1 – CM DNS setup

Perform the following steps:

Go to the domain controller hosting DNS, open the DNS manager, and add conditional forwarders to The Financial Company.
Expand the server name in the left-hand side pane and right-click on Conditional Forwarders ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Microsoft Forefront Identity Manager 2010 R2 Handbook

Publisher Resources

ISBN: 9781785283925

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Microsoft Identity Manager 2016 Handbook

by David Steadman, Jeff Ingalls

Multiforest configuration

Step 1 – CM DNS setup

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Microsoft Forefront Identity Manager 2010 R2 Handbook

Microsoft SharePoint 2016 Step by Step

Microsoft 365 Security Administration: MS-500 Exam Guide

Microsoft Information Protection Administrator SC-400 Certification Guide

Publisher Resources