#FIM2010 / #MIM2016 not so dead, and what you didn’t hear.

What seemed to be a small note on a MPN blog, landed on LinkedIn and finally got into a pretty… eh how would you name it … disappointing, bizar, vicious, mean, deviant, misunderstood .. nah .. just a wrong direction, has caused quite some confusion.

And looking at the IM and messages I get, it still is.

Let me spoil the clue of the story: Microsoft Identity and Access, FIM, MIM,… IS … ALIVE. VERY MUCH ALIVE. (NOT DEAD)
If you need more detail, continue…

Lots of things have been said and I don’t want to repeat too much stuff, and certainly don’t want to take credit for it.
But let me pick some core components of the discussion and get a few things straight.

Why not refer to the sources first, by chrono. (If you want to have them in a short list all together, quickly read through the post till the end.)

It started here (by Gavriella Schuster on 12 April 2016):

https://blogs.partner.microsoft.com/mpn/microsoft-partner-network-evolution/?ln=en-US

In essence Gavriella discusses MPN (Microsoft Partner Network) competencies and mentions the “The retiring competencies”, which include: “Identity and Access”.
She doesn’t mention any product specifically, but she doesn’t mention either that “Identity and Access” is being moved to the Enterprise Mobility Management (EMM) competency.
This is clearly a cause for confusion, disappointment and misunderstanding.

But if you continue to read her post and check the next paragraph, you’ll see:

  • Interactive MPN Evolution Guide – This NEW interactive tool is your first step to guide your decision process. Use this to explore all of the new paths and options and easily identify which is the best fit for your business.
  • MPN Evolution Page – This is an overview of the changes, including the full list of impacted competencies and timeline.
  • FAQ – We have received feedback from some of your peers in our advisory councils and compiled answers to some of the questions we anticipate you might have. We will continue to build on these as we receive new questions.

 

After a few clicks in the MPN evolution guide, you’ll see that “Identity and Access” is now in the Enterprise Mobility Management (EMM) competency. But it takes a few pages to find out. Right.

Also the MPN Evolution FAQ (downloadable PDF) says:

“Identity and Access Competency

Q) Where can I find more information about Enterprise Mobility Suite and partner opportunities?
A) For Enterprise Mobility Suite information, go here. For competency information, go here.

Q) Where can I find more info around Enterprise Mobility Suite incentives eligibility via the Enterprise Mobility Management Competency?
A) To learn more about EMS Incentives, visit the portal page, here. ”

A few days later a post on LinkedIn interpretes the competency change as “It marks the end of MIIS, ILM, FIM, and MIM“.
This opinion/ interpretation ignited a discussion or list of comments that even got vicious and mean if not incorrect. But I’ll leave that to your own interpretation.

But I can certainly advise to read all of it.

One of the key comments is posted by Alex Simons (Director of PM, Microsoft Identity Division): (quote)

“This focus area has just been combined with Mobility as we believe the overall category is merging as part of the shift we are seeing among customers to a modern end-user productivity model which merges Identity, Mobiltiy and Information Protection together to enable workers to get their jobs done wherever they are. So don’t let the merger fool you! We have more engineers working on Identity and Access Managemebt today (600+ across the cloud and on-premises) than we have ever had before at Microsoft!”

Apparently, due to some technical issues, an important comment of David Steadman never got posted to that thread. And probably for that reason, it got disconnected.
But it’s a damn important insider-note or add-on to Alex’ message.

“Identity within Microsoft not Dead!!”

“/../ this is not the end to identity platform. It simply transforming to what customers are demanding, just like MIIS changed and ILM. Merging the assets makes sense, As we have seen with this product and others. If you do not change you will be left behind it is a strategic change that meets the demand of our Azure Customers and On-premise Customers. Also the MIM product group has release a few new additions to MIM CTP4 /../”

“… Because Microsoft is the Identity platform and as this merger of Identity, Mobility and Information Protection continues you will see great add to the story and services.”

A few days later, , posts an interesting reply to the discussion. To jump to his conclusion: “ Success in the cloud is underpinned by a well-engineered Identity and Access infrastructure – and that is usually a hybrid on-premises/cloud infrastructure involving MIM, AD, Azure AD and much more. You can call it what you like, but rumours of its death have been greatly exaggerated.

And to close the discussion, you might want to get up to speed on what Microsoft Identity and Access aka Enterprise Mobility is heading to… with another post by Hugh.
It’s the essence of the whole story: Identity and Acces, now Enterpise mobility is not limited to the ‘identity technology’ anymore: consider”Advanced Threat Analytics, Secure Islands, Adallom, hybrid identity, devices and enterprise mobility management, Microsoft Identity Manager (MIM) including Privileged Access Management (PAM), new features in Microsoft’s Enterprise Mobility Suite, including changes in Azure Active Directory, Rights Management, and Intune… and more.

It’s damn clear that a specialist in Microsoft Identity & Access (eh sorry, Enterprise Mobility), will have plenty of work in the future.

That being said, here’s the short list.

References list of LinkedIn articles:

But that’s not all.
Recheck the Microsoft support lifecycle for the various products and save it for future reference:

 

*EDIT – 13/may/2016 … the discussion continues*
Above was the customer friendly version, as I’ve got quite some queries for details.
So it allows to explain that the pronounced dead essentially was a hoax.

On the FIM/MIM FB group, there was a very pertinent remark by Gil Kirkpatrick which I’m allowed to share here:

I’ve been utterly baffled at the public reaction to all of this… I’ve had probably a dozen people (a Kuppinger-Cole guy for chrissakes) tell me how MSFT has failed to crack the IAM market and how they’ve given up and EOL’d FIM/MIM, and now its a free-for-all and tha datacenter is on fire, and …, well you get the idea. It’s like nobody even bothered to read the announcement, and I don’t know, maybe look up some of the words in the dictionary if they were having trouble understanding it.”

+1

I personally think this is exactly the reason that David, Hugh and others (including me) have been fighting this hoax.

And I’ll not go into the view and recent reports of the market watchers, like Kuppinger-Cole and Gartner on Identity and Access, Identity Governance, .. whatever.
These are valuable if the reports are built on current, solid data.
But if a vendor does not participate in the survey for a year, or two, because their product stack is been overhaulded and set ready for the future.. and therefore the ‘product suite’ does not fit to the market watchers categories (so it drops from the reports), it’s no reason to burry a product/vendor.

And certainly if these reports are published one year later…
Things are moving fast, very fast.

[out-of-band]: Intune learning resources

Actually the original credits go to @tonyszko and the Predica team posting interesting blog on Intune at Microsoft Intune for Beginners.

But, now it happens that a customer is asking for learning material on Intune, so I’m more than happy to share the gift.
Furthermore, I hope you benefit from the search I did today, given I’m not a SCCM nor Intune specialist (*).

(*) but becoming one… next mission😉 when Identity and Security are dead…

So, if ever, you need some starting point, as Intune beginner, check this out.

Microsoft Technet
Bring Your Own Device (BYOD) Design Considerations Guide

Microsoft Official Curriculum (Courses)
Administering System Center Configuration Manager and Intune (in development, classroom)
https://www.microsoft.com/en-us/learning/course.aspx?cid=20696

Microsoft Virtual Academy (Virtual Learning):

I can personally highly advise the “Microsoft Intune and System Center Configuration Manager Core Skills ” course.

Channel 9 (Videos)
Intune videos (NL + EN)
https://channel9.msdn.com/Search?term=intune#ch9Search&lang-en=en&lang-nl=nl

Intune Jumps – 12 Video lessons:
https://channel9.msdn.com/Series/Windows-Intune-for-IT-Professionals

Microsoft Intune Core Skills
https://channel9.msdn.com/Series/Microsoft-Intune-Core-Skills

Virtual labs
Go to https://technet.microsoft.com/en-us/virtuallabs
Search for “intune” (but make sure to untick the ‘hot labs’ option, to get a better view)

Intune evaluation center
http://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-intune?WT.mc_id=11962-evaluation-center-intune

TechNet Wiki

Search TechNet wiki for intune.

Blogs:

Lots, most, if not all of these interesting links have been collected in the Microsoft Intune Survival Guide.

But most important of all, if you notice that info is missing or wrong, please take the time to correct/add it. Or send me a note.
The community will greatly appreciate your effort!

Note-to-self: Channel9 – Azure Active Directory Connect: in-place upgrade from legacy tools

Source: https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/Azure-Active-Directory-Connect-in-place-upgrade-from-legacy-tools

Andreas Kjellman has published an small, but very interesting bit of video on Channel 9.
You can read more in the Azure AD Connect documentation pages00https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/Azure-Active-Directory-Connect-in-place-upgrade-from-legacy-tools/player

You can read more in the Azure AD Connect documentation pages

Additionally, I strongly suggest to have a look at the discussion/comments on the post.

Having a 2nd server is now supported. This is called a “staging server” and more information can be found here: https://azure.microsoft.com/documentation/articles/active-directory-aadconnectsync-operations/#staging-mode.

It is also possible to filter based on OUs. More information on filtering options can be found here: https://azure.microsoft.com/documentation/articles/active-directory-aadconnectsync-configure-filtering/.

Note-to-self: Hotfix rollup package (build 4.3.2124.0) is available for #MIM2016

Source: https://support.microsoft.com/en-us/kb/3134725

Initially posted by Jeff Ingalls at the FIM 2010 FB group: https://www.facebook.com/groups/155109068156/10153501281698157/?notif_t=group_activity

Except for an important set of fixed, there are some very interesting features added to MIM 2016

MIM Synchronization Service

This update adds the ability to override the default Synchronization engine behavior of changing run profile GUID after export and import of the server configuration.

This update extends the functionality of the AD MA configuration cmdlets to be able to handle multiple partitions.

This update adds a new cmdlet Add-MIISADMARunProfileStep.

MIM Portal

This update adds the ability to fully customize the portal header.

Privileged Access Management (PAM)

Some group memberships may not be removed by the MIM component service after the PAM request expiration period. This hotfix addresses removal of expired group memberships.

 

Check it out in the detailed content of the KB article (https://support.microsoft.com/en-us/kb/3134725)

 

 

Note-to-self: Normalization of deviance in security: how broken practices become standard [must read]

If you would search the internet you’ll quickly find the original quote… “Normalization of deviance in software: how broken practices become standard”

All credits go to the original post: http://danluu.com/wat/

And to honor the truth completely, the hint was posted by Joe Richards at http://blog.joeware.net/2016/01/04/5683/
Joe has highlighted some important remarks in his blog post. But there is more…

What reasons do people or companies have NOT to implement best practices or ‘forget’ to implement them.
What easily becomes accepted as normal, why not speak up if you think something is wrong…

Just replace the ‘software’ in the article and title by ‘security’ …

Simply must read!
[Or actually, simply must implement, every day.]

#FIM2010 upgrade/update failure and roll back

Recently I have been working with several customer that experienced a similar situation:

  • update FIM with a hotfix fails
  • upgrade FIM 2010 to FIM 2010 R2 fails
  • during installation of FIM he FIM services won’t start

All of them result in a roll-back of the installation.

Let me spoil the root cause right away (and then explain): using an SQL port number in the installation wizard.

The installation wizard is not able to connect to the database with a port number.

Solution: use an SQL alias

Background

The FIM Sync Service and/or the FIM servers check the registry for the database server and instance and then connect to SQL and start the service.

The use of a port number seems to break the wizard.
Normally the FIM Services and FIM Sync Services CAN use an SQL port…

Easy fix: set an alias in the SQL Server client network utility

c:\windows\system32\cliconfig.exe

cliconfig

port1433_1

port1433_2

setalias

Then change the registry to use the FIM SQL ALIAS (as server), you don’t need the instance and port anymore (as the alias will take care of it).

For the FIM Sync:

regedit

Check the server and instance configured for the FIM Sync database

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Server (use SQL Alias)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Instance (empty)

for FIM Service

Check the server and instance configured for the FIM Service database

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMService\DatabaseServer

 

Reference

I’ve updated the Wiki article with more detailed info at http://social.technet.microsoft.com/wiki/contents/articles/14551.fim-2010-r2-troubleshooting-syncservice-installation-or-upgrade-failure-and-roll-back.aspx

See also:

Some new #MIM2016 CTP stuff on the Connect site

Check out the MIM 2016 connect site: https://connect.microsoft.com/site433.

The Identity and Access Management Connect site is used for:

– Microsoft Identity Manager 2016 SP1 Preview (MIM 2016 SP1)
– FIM Sync Connectors
– Azure Active Directory Sync Services

If you would like to try out this preview in a lab environment, it is available for download on Connect at  https://connect.microsoft.com/site433/Downloads

Check : https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=57668

If you do not see this available for download, ensure that “Active Directory Identity and Access Management CTP” is in your Connect programs list, or add this connect program from the directory https://connect.microsoft.com/directory/ .  You can provide feedback directly by email to aadmimfeedback@microsoft.com or in Connect site feedback.

It’s important to carefully check the description of the download: “These CTPs are intended solely for integration testing and to help us gather community feedback on specific changes or scenarios. As such these previews are for evaluation use only, and are not licensed, supported or intended for production use.  If you need updates for a production deployment of MIM, please contact your Microsoft support representative to ensure you have the latest hotfix for MIM 2016.”