Since the addition of the FIM Service and Portal in FIM 2010, the licensing model changed from a “server only” licensing to “server + CAL” licensing. (NOTE: CAL = Client Access License).
In April 2015 licensing update of FIM/MIM, the server license became virtually free.
The authoritative document that provides you with the full details is the PUR (Products Use Rights) document published by Microsoft.
See my post on the licensing change for all required info: http://aka.ms/LicenseToCAL. It does contain the links to the PUR (in various languages).
You can also check the TechNet Wiki page for the FIM/MIM licensing: http://aka.ms/LicenseToFIM)
In short: in general, you do NOT need to buy a FIM/MIM server license anymore, it’s included in the Windows Server license.
Still, keep in mind, some specific situations do require special/additional licenses: check the PUR.
You DO require CALs, which is mentioned by the PUR as:
“A CAL is also required for any person for whom the software issues or manages identity information.”
You can acquire FIM CALs via :
- Forefront Identity Manager 2010 R2 User CAL (device CALs are not available), or
- Enterprise Mobility Suite User SL, or
- Microsoft Azure Active Directory Premium
The april 2015 licensing change caused quite some confusion on the CAL requirements (as the FIM/MIM server license became ‘free’…)
One of the important reasons was the following paragraph in the PUR (quote):
A CAL is not required for users only using the Forefront Identity Manager synchronization service. /../”
To rephrase this statement: if you ONLY use the FIM Sync engine, you DO NOT need to buy/acquire any license (you got server license free and CAL not required).
This essentially means that IF you do install the FIM Service (and probably the FIM portal to manage it) and you DO connect the FIM Sync engine to the FIM service via the FIM MA, you DO NEED CALs.
This also applies to BHOLD and FIMCM.
This is how it was phrased by one of the FIM/MIM/AADConnect program managers: “As soon as you have installed the FIM Service MA (or BHOLD or CM) then you have triggered a CAL for everyone in the MV. ” It’s not relevant if the users are in FIM Service or not.
This is also the reason for built-in declarative provisioning (without a need for the FIM Service MA) in Azure AD Connect sync… this puts the FIM/MIM licensing model on the same frequency as the Azure AD connect licensing.
Now, this perfectly answers the question of Henrik on my post on the licensing update.
His question was: “What if you install FIM/MIM Sync and Service, both included in Windows Server licensing but you choose not to add object mappings in FIM/MIM MA for users and groups… This will allow you to import filter based sync rules from FIM/MIM Service.”
The short answer is: you still need to acquire the CAL.
- FIM/MIM server license is included in the Windows Server License
- you DO NEED CALs for FIM/MIM
- you can purchase CALS or acquire them via EMS/AAD premium/ECS
- for EVERY person managed
- 1 EXCEPTION:
- if you ONLY use the FIM/MIM Sync Engine, you do not need CALs
I hope that this explanation helps you to better understand the FIM/MIM licensing.
Feel free to contact me via any channel if you have any feedback or questions.