#FIM2010 / #MIM2016 not so dead, and what you didn’t hear.

What seemed to be a small note on a MPN blog, landed on LinkedIn and finally got into a pretty… eh how would you name it … disappointing, bizar, vicious, mean, deviant, misunderstood .. nah .. just a wrong direction, has caused quite some confusion.

And looking at the IM and messages I get, it still is.

Let me spoil the clue of the story: Microsoft Identity and Access, FIM, MIM,… IS … ALIVE. VERY MUCH ALIVE. (NOT DEAD)
If you need more detail, continue…

Lots of things have been said and I don’t want to repeat too much stuff, and certainly don’t want to take credit for it.
But let me pick some core components of the discussion and get a few things straight.

Why not refer to the sources first, by chrono. (If you want to have them in a short list all together, quickly read through the post till the end.)

It started here (by Gavriella Schuster on 12 April 2016):


In essence Gavriella discusses MPN (Microsoft Partner Network) competencies and mentions the “The retiring competencies”, which include: “Identity and Access”.
She doesn’t mention any product specifically, but she doesn’t mention either that “Identity and Access” is being moved to the Enterprise Mobility Management (EMM) competency.
This is clearly a cause for confusion, disappointment and misunderstanding.

But if you continue to read her post and check the next paragraph, you’ll see:

  • Interactive MPN Evolution Guide – This NEW interactive tool is your first step to guide your decision process. Use this to explore all of the new paths and options and easily identify which is the best fit for your business.
  • MPN Evolution Page – This is an overview of the changes, including the full list of impacted competencies and timeline.
  • FAQ – We have received feedback from some of your peers in our advisory councils and compiled answers to some of the questions we anticipate you might have. We will continue to build on these as we receive new questions.


After a few clicks in the MPN evolution guide, you’ll see that “Identity and Access” is now in the Enterprise Mobility Management (EMM) competency. But it takes a few pages to find out. Right.

Also the MPN Evolution FAQ (downloadable PDF) says:

“Identity and Access Competency

Q) Where can I find more information about Enterprise Mobility Suite and partner opportunities?
A) For Enterprise Mobility Suite information, go here. For competency information, go here.

Q) Where can I find more info around Enterprise Mobility Suite incentives eligibility via the Enterprise Mobility Management Competency?
A) To learn more about EMS Incentives, visit the portal page, here. ”

A few days later a post on LinkedIn interpretes the competency change as “It marks the end of MIIS, ILM, FIM, and MIM“.
This opinion/ interpretation ignited a discussion or list of comments that even got vicious and mean if not incorrect. But I’ll leave that to your own interpretation.

But I can certainly advise to read all of it.

One of the key comments is posted by Alex Simons (Director of PM, Microsoft Identity Division): (quote)

“This focus area has just been combined with Mobility as we believe the overall category is merging as part of the shift we are seeing among customers to a modern end-user productivity model which merges Identity, Mobiltiy and Information Protection together to enable workers to get their jobs done wherever they are. So don’t let the merger fool you! We have more engineers working on Identity and Access Managemebt today (600+ across the cloud and on-premises) than we have ever had before at Microsoft!”

Apparently, due to some technical issues, an important comment of David Steadman never got posted to that thread. And probably for that reason, it got disconnected.
But it’s a damn important insider-note or add-on to Alex’ message.

“Identity within Microsoft not Dead!!”

“/../ this is not the end to identity platform. It simply transforming to what customers are demanding, just like MIIS changed and ILM. Merging the assets makes sense, As we have seen with this product and others. If you do not change you will be left behind it is a strategic change that meets the demand of our Azure Customers and On-premise Customers. Also the MIM product group has release a few new additions to MIM CTP4 /../”

“… Because Microsoft is the Identity platform and as this merger of Identity, Mobility and Information Protection continues you will see great add to the story and services.”

A few days later, , posts an interesting reply to the discussion. To jump to his conclusion: “ Success in the cloud is underpinned by a well-engineered Identity and Access infrastructure – and that is usually a hybrid on-premises/cloud infrastructure involving MIM, AD, Azure AD and much more. You can call it what you like, but rumours of its death have been greatly exaggerated.

And to close the discussion, you might want to get up to speed on what Microsoft Identity and Access aka Enterprise Mobility is heading to… with another post by Hugh.
It’s the essence of the whole story: Identity and Acces, now Enterpise mobility is not limited to the ‘identity technology’ anymore: consider”Advanced Threat Analytics, Secure Islands, Adallom, hybrid identity, devices and enterprise mobility management, Microsoft Identity Manager (MIM) including Privileged Access Management (PAM), new features in Microsoft’s Enterprise Mobility Suite, including changes in Azure Active Directory, Rights Management, and Intune… and more.

It’s damn clear that a specialist in Microsoft Identity & Access (eh sorry, Enterprise Mobility), will have plenty of work in the future.

That being said, here’s the short list.

References list of LinkedIn articles:

But that’s not all.
Recheck the Microsoft support lifecycle for the various products and save it for future reference:


*EDIT – 13/may/2016 … the discussion continues*
Above was the customer friendly version, as I’ve got quite some queries for details.
So it allows to explain that the pronounced dead essentially was a hoax.

On the FIM/MIM FB group, there was a very pertinent remark by Gil Kirkpatrick which I’m allowed to share here:

I’ve been utterly baffled at the public reaction to all of this… I’ve had probably a dozen people (a Kuppinger-Cole guy for chrissakes) tell me how MSFT has failed to crack the IAM market and how they’ve given up and EOL’d FIM/MIM, and now its a free-for-all and tha datacenter is on fire, and …, well you get the idea. It’s like nobody even bothered to read the announcement, and I don’t know, maybe look up some of the words in the dictionary if they were having trouble understanding it.”


I personally think this is exactly the reason that David, Hugh and others (including me) have been fighting this hoax.

And I’ll not go into the view and recent reports of the market watchers, like Kuppinger-Cole and Gartner on Identity and Access, Identity Governance, .. whatever.
These are valuable if the reports are built on current, solid data.
But if a vendor does not participate in the survey for a year, or two, because their product stack is been overhauled and set ready for the future.. and therefore the ‘product suite’ does not fit to the market watchers categories (so it drops from the reports), it’s no reason to burry a product/vendor.

And certainly if these reports are published one year later…
Things are moving fast, very fast.


Troubleshooting MIIS Event 6801 : unsupported error

Have an ILM server with the ERPMA running quite a while, smoothly.


After the SAP Admins migrated the SAP platform to the Unicode character set, ILM failed to import SAP data with an extensible-extension-exception.


In the event viewer, this error was displayed

Source: MIIServer

Category Server

Type: Error

Event ID: 6801


The extensible extension returned an unsupported error in MIIS.

 The stack trace is:


 "Microsoft.MetadirectoryServices.ExtensibleExtensionException: Exception has been thrown by the target of an invocation.

   at Microsoft.MetadirectoryServices.ERP.SAPMA.GenerateImportFile(String fileName, String connectTo, String user, String password, ConfigParameterCollection configParameters, Boolean fFullImport, TypeDescriptionCollection types, String& customData)

Microsoft Identity Integration Server 3.2.1008.0"


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The extensible extension returned an unsupported error in MIIS.

 The stack trace is:


 "Microsoft.MetadirectoryServices.ExtensibleExtensionException: Exception has been thrown by the target of an invocation.

   at Microsoft.MetadirectoryServices.ERP.SAPMA.GenerateImportFile(String fileName, String connectTo, String user, String password, ConfigParameterCollection configParameters, Boolean fFullImport, TypeDescriptionCollection types, String& customData)

Microsoft Identity Integration Server 3.2.1008.0"


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


This error is caused by a difference in character set code page between the ILM server and the SAP server.
They must match EXACTLY.
The ERPMA config tools has a code page definition in the server settings option.
But it’s not enough to switch the server settings to unicode…
Besides the code page definition in the ERPMA config file, also the discovery cache or the ERP config tool is impacted by the code page.
So if you need to switch the code page, you also need to reload the discovery cache.
When the server has been changed (on SAP server side), you need to reload the cache.
Keep in mind that this can take some time to completely load the cache.
To rebuild the cache, check the server settings, select the "rebuild discovery cache on next startup".
Close the ERPMA config tool and open it again.
When you connect to the SAP server, the cache starts to rebuild.
Keep in mind: the cache is loaded on a "per server" basis. So every SAP server has another cache file…
Reopen the ERPMA config file. Make sure you set the correct code page.
After switching the server settings make sure you save the configuration.
Then you better reopen the config file, again, because apparently the ERPMA config tools just checks the code page of the config file against the discovery cache when you open the config file…
In the ILM server I mentioned, I initially set the code page to "Unicode"…
But there are 4 versions of Unicode… which aren’t necessarily compatible with the code page on SAP server side…
When reopening the config file (and refreshing the cache) the config tool kindly suggested to use the Unicode Big-Endian code page.
I resaved the config file….
And the import got started again…
(to be completed with some screenshot and interesting links and documents on Unicode)
Unicode versions
– Unicode, Unicode UTF-7, Unicode UTF-8, Unicode Big-Endian


IIFP (Identity Integration Feature Pack) retired

Well, for some among us it came by surprise, but IIFP has been retired this week.
This means that IIFP has passed the Mainstream support phase of 5 years…
It will not be available for download anymore on the MS web site.
Update (22/10/08): the download section for IIFP has been restored.
IIFP, Identity Integration Feature Pack, is/was the free downloadable version of MIIS (limited to AD, ADAM, GAL,..).
If you need to know more on the Microsoft Support Lifecycle Policy, find it here.
The details on MIIS 2003, here.

ILM Quickie* : rapidly creating basic documentation of your ILM setup

* as in Quickie (informal), something made or done rapidly. 😉

Of course you’ll find more sophisticated and nice (3rd party) solutions, but sometimes you don’t wont to spend money on it. (And time is money…)
MIIS/ILM and the MIIS Resource toolkit contain some basic tools to quickly create some more or less graphical documentation.
(I’ll refer to MIIS, meaning MIIS 2003 and ILM 2007…)
To start with, you need
– Existing Installation of MIIS/ILM server, with
o MIIS/ILM Server configuration
o MA configuration
o MV configuration
– Microsoft Identity Integration Server 2003 Resource Tool Kit, with
o Management Agent Configuration Viewer (GUI)
o AttributeFlowViewer (CMD)
o MVConfigurationViewer (CMD)
First you need to export some configuration data.
Exporting the MIIS server configuration
Open the MIIS administration console (Identity Manager).
Run the file menu > Export Server Configuration (short cut key combination CTRL+SHIFT+E)
You’ll get a warning:
Select an empty directory to export the configuration.
If not :
Exporting the MA configuration
Go to the Management Agents section in the Identity Manager Console.
For each management agent, export the management agent to an XML file.
(Tip: use a separate directory for the MIIS server export, the MA exports and the MV configuration export.)
AD MA XML config 
Exporting the MV configuration
Go to the Metaverse designer display in the Identity Manager Console
Right click an object under the Metaverse Designer Object types.
Then right click the object and select Export Metaverse Schema.
(Or select the option under menu Actions, alternatively press CTRL+S)
Export the MV schema to an XML file (by preference in a separate directory).
Creating documentation
The Microsoft Identity Integration Server 2003 Resource Tool Kit is free to download.
When you install the tool kit, it offers an utility to quickly document your MA configuration.
Start the Management Agent Configuration Viewer via the Windows Programs menu.
As the base (source) XML file, select the exported XML file from the management agent you wish to document.
Using the Open window, browse to the directory with the MA export file.
AD MA XML config 
Select the correct XML file.
Next use the <TAB> button to jump to the “Target HTML File” field.
In this way the target HTML file name is generated for you.
Of course you can type a name at will, but keeping the source (XML) and target files (HTML) together is handy.
Next click the “Show Configuration” button.
The Wizard will generate the HTML file for you.
AD MA html config 
To create another MA configuration HTML file, return to the MAConfiguration viewer.
Select another XML source file.
Be sure to refresh the target HTML file name (for example by first deleting the old name and using the <TAB> and <shift+TAB> button again…)
Documenting attribute flows
Open the MIIS Resource Tool kit Command prompt.
Running the attributeflowviewer command without options, explains how to use the command.
Run the tool with the MIIS server configuration export directory as parameter.
C:\Program Files\Microsoft Identity Integration Server 2003 Resource Tool Kit>AttributeFlowViewer.exe "C:\_MIISbackup\MIIS Server Config Export"
By default the HTML target file is created in the same directory as the executable
Microsoft Identity Integration Server Attribute Flow Viewer v2.0
Copyright (c) 2004 Microsoft Corporation. All rights reserved.
The Attribute Flow information has been populated
You can view this information in the AttributeFlowViewer.html file
C:\Program Files\Microsoft Identity Integration Server 2003 Resource Tool Kit>
It will be like:
Tip: Move the HTML file to a safe location.
Documenting the MV configuration
Open the MIIS Resource Tool kit Command prompt.
Running the MVConfigurationViewer command without options, explains how to use the command.
As XML source file use the exported MV configuration file.
As XSL tranformation file, check for the MVConfigTransform.xsl file.
The command becomes something like:
C:\Program Files\Microsoft Identity Integration Server 2003 Resource Tool Kit>MVConfigurationViewer "C:\_MIISbackup\MIIS MV Config Export\MV export.xml" MVConfigTransform.xsl
The transformed HTML file is put in the same directory as the executable:
Microsoft Identity Integration Server Metaverse Configuration Viewer v2.0
Copyright (c) 2004 Microsoft Corporation. All rights reserved.
Done transforming MV Config file. New file created is TransformedMVConfig.html
C:\Program Files\Microsoft Identity Integration Server 2003 Resource Tool Kit>
This is the final result:
Now you have
– MV configuration documentation in HTML (1)
– MA configuration doc in HTML (1 per MA)
– attribute flow documentation in HTML (1)

MVP award

I’m proud to announce that I have been awarded with the MVP award for Identity Lifecycle manager.
The group people awarded the ILM MVP award is quite limited…
And if I’m not mistaken, I’m curently the only ILM MVP in the European Community, which makes it even more special.
First of all, I wish to thank all the people that made it possible and supported me (and still do).
I will keep doing my best to help supporting and improving the ILM community.
Thank you.
If you want to know more on the MVP Award, check these out:

Microsoft Identity Lifecycle Manager “2” Beta 3 Now Available




From the latest Technet Flash:

Identity Lifecycle Manager (ILM) “2” Beta 3 is now available! This product delivers powerful self-service capabilities for end users via the 2007 Microsoft Office system, and also provides rich administrative tools and enhanced automation for IT professionals, plus Microsoft .NET connection software and WS-* based extensibility for developers. To learn more, visit the ILM “2” product page. 

Update on the roadmap of ILM “2”

At connect.microsoft.com the MS Program administrator and the ILM "2" team have updated release dates on ILM "2".
The purpose of this note is to provide an update on the Identity Lifecycle Manager “2” timelines. We are planning to launch beta 3 at Tech Ed in June. Following beta 3, we plan to deliver a release candidate (RC) in Q4 of calendar year 2008, with final release to manufacturing (RTM) of ILM “2” planned for Q1 of calendar year 2009. We have adjusted our schedule slightly to provide us with additional time to integrate beta 3 features.

Expiration of Windows Server 2008 RC0

When ILM “2” Beta 2 was released the most recent version available for Windows Server 2008 was RC0, and that is the version the installation manual is mentioning as supported. We want to make you aware of that RC0 will expire April 7th. If you want to continue evaluating ILM “2” Beta 2 after this date, you should update and use the RTM version of Windows Server 2008. Even if the product group has not yet tested all aspects of this version of the operating system, we have noticed that several customers are already running with this configuration without any reported issues. For additional information, please join the Beta newsgroup. If you do not yet have access to Windows Server 2008, the evaluation version can be found here.


More info at : https://connect.microsoft.com/content/content.aspx?ContentID=8091&SiteID=433