FIM/MIM Licensing: clarification on the requirement to use CALs

Since the addition of the FIM Service and Portal in FIM 2010, the licensing model changed from a “server only” licensing to “server + CAL” licensing. (NOTE: CAL = Client Access License).

In April 2015 licensing update of FIM/MIM, the server license became virtually free.

The authoritative document that provides you with the full details is the PUR (Products Use Rights) document published by Microsoft.

See my post on the licensing change for all required info: http://aka.ms/LicenseToCAL. It does contain the links to the PUR (in various languages).

You can also check the TechNet Wiki page for the FIM/MIM licensing: http://aka.ms/LicenseToFIM)

 

In short: in general, you do NOT need to buy a FIM/MIM server license anymore, it’s included in the Windows Server license.

Still, keep in mind, some specific situations do require special/additional licenses: check the PUR.

You DO require CALs, which is mentioned by the PUR as:

“A CAL is also required for any person for whom the software issues or manages identity information.”

 

You can acquire FIM CALs via :

  • Forefront Identity Manager 2010 R2 User CAL (device CALs are not available), or
  • Enterprise Mobility Suite User SL, or
  • Microsoft Azure Active Directory Premium

The april 2015 licensing change caused quite some confusion on the CAL requirements (as the FIM/MIM server license became ‘free’…)
One of the important reasons was the following paragraph in the PUR (quote):

“/../

Synchronization Service

A CAL is not required for users only using the Forefront Identity Manager synchronization service. /../”

To rephrase this statement: if you ONLY use the FIM Sync engine, you DO NOT need to buy/acquire any license (you got server license free and CAL not required).

This essentially means that IF you do install the FIM Service (and probably the FIM portal to manage it) and you DO connect the FIM Sync engine to the FIM service via the FIM MA, you DO NEED CALs.

This also applies to BHOLD and FIMCM.

This is how it was phrased by one of the FIM/MIM/AADConnect program managers: “As soon as you have installed the FIM Service MA (or BHOLD or CM) then you have triggered a CAL for everyone in the MV. ” It’s not relevant if the users are in FIM Service or not.

This is also the reason for built-in declarative provisioning (without a need for the FIM Service MA) in Azure AD Connect sync… this puts the FIM/MIM licensing model on the same frequency as the Azure AD connect licensing.

Now, this perfectly answers the question of Henrik on my post on the licensing update.

His question was: “What if you install FIM/MIM Sync and Service, both included in Windows Server licensing but you choose not to add object mappings in FIM/MIM MA for users and groups… This will allow you to import filter based sync rules from FIM/MIM Service.”

The short answer is: you still need to acquire the CAL.

Summary

  • FIM/MIM server license is included in the Windows Server License
  • you DO NEED CALs for FIM/MIM
    • you can purchase CALS or acquire them via EMS/AAD premium/ECS
    • for EVERY person managed
  • 1 EXCEPTION:
    • if you ONLY use the FIM/MIM Sync Engine, you do not need CALs

I hope that this explanation helps you to better understand the FIM/MIM licensing.

Feel free to contact me via any channel if you have any feedback or questions.
Happy licensing!

#FIM2010 & MIM 2016 licensing model is changing as of 1st of april 2015

Source: http://www.microsoft.com/licensing/products/products.aspx

Download the “Microsoft Product Use Rights (WW, English, April 2015)” document at http://www.microsoftvolumelicensing.com/userights/Downloader.aspx?DocumentId=8488 In short, prior to 1st of april 2015, you required

  • a FIM server license for every FIM server installed and a CAL for every user managed in the FIM Service, or
  • Forefront Identity Manager 2010 R2 External Connector
Functionality Covered by
FIM Server Components (FIM Sync, FIM Services, FIM portal, …) FIM Server SKU
CAL Standalone FIM CAL, or Azure Active Directory Premium (AADP), or Enterprise Mobility Suite (EMS) User, orEnterprise Cloud Suite (ECS) User SL
External Users FIM External Connector license (per server)

After 1st of april 2015:

  • Windows Server license (Standard & Datacenter) will include FIM server entitlement
  • FIM Server 2010 R2 licenses will not be available anymore on the price lists
Functionality Covered by
FIM Server Components (FIM Sync, FIM Services, FIM portal, …) Windows Server license (Standard & Datacenter) will include FIM server entitlement
CAL Standalone (FIM) CAL, or Azure Active Directory Premium (AADP), or Enterprise Mobility Suite (EMS) User, or Enterprise Cloud Suite (ECS) User SL
External Users Windows Connector license

Certificate and Identity Management

  • A CAL is also required for any person for whom the software issues or manages identity information.

Synchronization Service

  • A CAL is not required for users only using the Forefront Identity Manager synchronization service.

From the PUR:

  • External Connector License means a license attached to a Server that permits access to the server software by External Users.
  • External Users means users that are not either your or your Affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents.
  • CAL means client access license. There are two kinds of CALs: user and device. A user CAL allows access to the server software from any device by one user. A device CAL allows access to the server software from one device by any user.

FIM / MIM is using a user CAL. The FIM server will no longer be sold as a separate license, but instead Windows Server licenses will allow customers to install the FIM Server software. Since FIM users already required a Windows Server CAL or equivalent to access FIM running on Windows Server, no additional Windows Server CALs (or Windows Server External Connector) will be required. Still it’s important to understand that you still need FIM/MIM CALs to manage identities with FIM/MIM (unless you only use the FIM/MIM Sync). Azure Active Directory Premium (AADP) and any suite that contains AADP, including Enterprise Mobility Suite (EMS) and Enterprise Cloud Suite (ECS) or a additive FIM CAL will also entitle users to access FIM. MIM will have the same licensing model. All current FIM customers with active SA on the underlying Windows Server, (since the right to install FIM server is now granted with a Windows Server license), will have rights to upgrade to MIM when it launches. And for my Dutch speaking followers… Tous la même chose:

PS: The FIM licensing page on TechNet Wiki will be updated ASAP (http://aka.ms/LicenseToFIM)

[ADD-ON, Jan 2016]
https://identityunderground.wordpress.com/2016/01/06/fimmim-licensing-clarification-on-the-requirement-to-use-cals/

Bookmark:

“License to CAL” – Licensing FIM 2010

[EDIT: There has been an important change on the FIM licensing, see here:#FIM2010 licensing model is changing as of 1st of april 2015]

Licensing FIM 2010 seems easy, but it’s not the first time (and probably not the last ) that this kind of discussion with the customer ends with more questions than answers.

Also, on the FIM 2010 TechNet forum, the topic has been discussed from the early start of FIM (euurrrh, correction ILM “2”, yes yes).

  • “Why do I need a FIM Client Access License? It did work without before.”
    (ILM customers must get used to the CAL based licensing model.)
  • ”I only wish to view data in the FIM portal, not changing it.”
  • “What if I manage (only) external users with FIM?”
  • … and other kind of variations

IMHO, this question on the FIM forum is the key to each customers situation:“As per my scenario, how to license MS FIM 2010 ?

While looking for information on FIM licensing you must have come across different sources:

In short, you had to assemble the information from different places to get specific answers. Or use the Microsoft Product Licensing Advisor. And in ultimate despair, pick up the phone and call Microsoft Licensing department.

Just recently I found out there is a Microsoft FIM 2010 Licensing guide.
In short, you need
– a server license for each server on which FIM components are installed
– a CAL for each user for whom the software issues or manages identity information. (inlc. smart card & digital certs)
– a CAL for administrator using FIM portal & services.
BUT
– no CAL needed if you only use the sync service
– no device CALs needed
AND
– you can use ILM 2007 with your FIM license

Besides the licensing methods, the guide also provides some interesting examples which in lots of cases can be mapped to the practical environment for which FIM will provide its services.

The document also explains how the External Connector license (ECL) is related (or not) to the CAL. (Is it “ECL or CAL” or is it “ECL AND CAL” ??)

If you want to read it off-line, download it here.

Happy licensing!

PS
I wikified this (slightly adapted) post on the MS Technet Wiki > Licensing FIM 2010 , so if you think you’ve interesting stuff to add, please do so. (Thanks Brian for contributing and approving the consistency big time!)
“Contribute boldly, edit gently and assume good intent.”