mim 2016

The new #MIM2016 book is out! Must have!

I just got the notice from Packt Publishing today that the new MIM2016  book has been published!
Go check at http://aka.ms/mim2016book.

David Steadman and Jeff Ingalls have been working very hard to create a reference piece of literature, so it’s a must have for your bookshelf.

From the early beginning of the book I’ve been involved in the reviewing, and although it has been a bumpy ride, it has been a great time!

I know my FIM/MIM geekiness/freakiness must have caused quite some headaches to the authors and the publishing project team at Packt, but just be sure it was for the better good.

The ebook version is awful cheap, but I’m going for the paper version anyway as I’m convinced it’s a must have.

So my future FIM/MIM students will have something to look forward to (meaning get their hands on MY copy of the book, … )

3925EN_4526_Microsoft%20Identity%20Manager%202016%20Handbook_jpg

Congratz, David and Jeff!
Now you can take a well-deserved vacation!

 

New hotfix rollup package (build 4.3.2266.0) is available for #MIM2016

Source: https://support.microsoft.com/en-us/kb/3171342

Quick overview below, full detail in KB article referenced.

Issues that are fixed and features that are added in this update

This update fixes the following issues and adds the following features that were not previously documented in the Microsoft Knowledge Base.

Privileged Access Management (PAM)

Issue 1: PAM monitor service error with PRIV only PAM USER

 

FIM add-ins and extensions

Issue 1: SSPR windows clients with high DPI have incorrect scaling of the final page

Issue 2: SSPR Windows client text message overlap

 

FIM Certificate Management

Issue 1: <span “text-base”=””>ExecuteOperations.Disable operation issue

Issue 2: Smart Card search issue

Issue 3: Profile summary issue

Issue 4: Duplicate revocation settings policy issue

Issue 5: Certificae Management portal issue with LDAP CN name

Issue 6: misplaced link in Certificate Management portal for certain languages

 

FIM Synchronization Service

Issue 1: MA config wizard issue

Issue 2: error messages logged in Event Viewer + Perf counter issue

Issue 3: Issue with Full sync vs Equal precedence

Issue 4: ECMA2 issue with incorrect page size

Issue 5 :error message from the Management Agent cannot be parsed if it contains some special symbols

Issue 6″Reference to undeclared entity ‘qt'” error message

Issue 7: <span “text-base”=””>New Functionality:/span> The ability to skip the Management Agent during the import of a server configuration is added.

Issue 8: A “MEMORY_ALLOCATION_FAILURE” error occurs in the Performance Monitoring tool.

 

FIM Portal

Issue 1: incorrect display of multivalue labels

Issue 2: RCDC update XML format not verified

Issue 3: cannot drag and drop user to remove box

Issue 4: Local date and time issue

Issue 5 RCDC additional attributed included

 

 

FIM Service

Issue 1: SharePoint Server 2013 and later , workflow issue, the version is automatically updated to 4.0.0.0. This causes a system error message during processing.

 

BHOLD

Issue 1: issue with incompatible permissions

Issue 2 attribute based AuthZ issues

Issue 3: Acces management connector issue

Issue 4: error during BHOLD installl in IIS

Issue 5: user role permission issue with extraction

Issue 6: email alias truncated if longer than 30 char.

Last update: 2020-12-30

Note-to-self: #FIM2010 Quick Tip – Who has NOT Registered for SSPR

Just a quick useful tip to solve the practical question…

Question already asked (a few times) on the FIM forum: how to “Query FIM user not registered for SSPR”?

https://social.technet.microsoft.com/Forums/en-US/b44a4a2c-ebc2-45e2-9afd-1d083c7be3ad/query-fim-user-not-registered-for-sspr?forum=ilm2

Answers:

See also:

http://social.technet.microsoft.com/wiki/contents/articles/9846.fim-self-service-password-reset-sspr-resources.aspx by Tim Macaulay

Updated: 2020-12-30

#FIM2010 / #MIM2016 not so dead, and what you didn’t hear.

What seemed to be a small note on a MPN blog, landed on LinkedIn and finally got into a pretty… eh how would you name it … disappointing, bizar, vicious, mean, deviant, misunderstood .. nah .. just a wrong direction, has caused quite some confusion.

And looking at the IM and messages I get, it still is.

Let me spoil the clue of the story: Microsoft Identity and Access, FIM, MIM,… IS … ALIVE. VERY MUCH ALIVE. (NOT DEAD)
If you need more detail, continue…

Lots of things have been said and I don’t want to repeat too much stuff, and certainly don’t want to take credit for it.
But let me pick some core components of the discussion and get a few things straight.

Why not refer to the sources first, by chrono. (If you want to have them in a short list all together, quickly read through the post till the end.)

It started here (by Gavriella Schuster on 12 April 2016):

https://blogs.partner.microsoft.com/mpn/microsoft-partner-network-evolution/?ln=en-US

In essence Gavriella discusses MPN (Microsoft Partner Network) competencies and mentions the “The retiring competencies”, which include: “Identity and Access”.
She doesn’t mention any product specifically, but she doesn’t mention either that “Identity and Access” is being moved to the Enterprise Mobility Management (EMM) competency.
This is clearly a cause for confusion, disappointment and misunderstanding.

But if you continue to read her post and check the next paragraph, you’ll see:

  • Interactive MPN Evolution Guide – This NEW interactive tool is your first step to guide your decision process. Use this to explore all of the new paths and options and easily identify which is the best fit for your business.
  • MPN Evolution Page – This is an overview of the changes, including the full list of impacted competencies and timeline.
  • FAQ – We have received feedback from some of your peers in our advisory councils and compiled answers to some of the questions we anticipate you might have. We will continue to build on these as we receive new questions.

 

After a few clicks in the MPN evolution guide, you’ll see that “Identity and Access” is now in the Enterprise Mobility Management (EMM) competency. But it takes a few pages to find out. Right.

Also the MPN Evolution FAQ (downloadable PDF) says:

“Identity and Access Competency

Q) Where can I find more information about Enterprise Mobility Suite and partner opportunities?
A) For Enterprise Mobility Suite information, go here. For competency information, go here.

Q) Where can I find more info around Enterprise Mobility Suite incentives eligibility via the Enterprise Mobility Management Competency?
A) To learn more about EMS Incentives, visit the portal page, here. “

A few days later a post on LinkedIn interpretes the competency change as “It marks the end of MIIS, ILM, FIM, and MIM“.
This opinion/ interpretation ignited a discussion or list of comments that even got vicious and mean if not incorrect. But I’ll leave that to your own interpretation.

But I can certainly advise to read all of it.

One of the key comments is posted by Alex Simons (Director of PM, Microsoft Identity Division): (quote)

“This focus area has just been combined with Mobility as we believe the overall category is merging as part of the shift we are seeing among customers to a modern end-user productivity model which merges Identity, Mobiltiy and Information Protection together to enable workers to get their jobs done wherever they are. So don’t let the merger fool you! We have more engineers working on Identity and Access Managemebt today (600+ across the cloud and on-premises) than we have ever had before at Microsoft!”

Apparently, due to some technical issues, an important comment of David Steadman never got posted to that thread. And probably for that reason, it got disconnected.
But it’s a damn important insider-note or add-on to Alex’ message.

“Identity within Microsoft not Dead!!”

“/../ this is not the end to identity platform. It simply transforming to what customers are demanding, just like MIIS changed and ILM. Merging the assets makes sense, As we have seen with this product and others. If you do not change you will be left behind it is a strategic change that meets the demand of our Azure Customers and On-premise Customers. Also the MIM product group has release a few new additions to MIM CTP4 /../”

“… Because Microsoft is the Identity platform and as this merger of Identity, Mobility and Information Protection continues you will see great add to the story and services.”

A few days later, , posts an interesting reply to the discussion. To jump to his conclusion: “ Success in the cloud is underpinned by a well-engineered Identity and Access infrastructure – and that is usually a hybrid on-premises/cloud infrastructure involving MIM, AD, Azure AD and much more. You can call it what you like, but rumours of its death have been greatly exaggerated.

And to close the discussion, you might want to get up to speed on what Microsoft Identity and Access aka Enterprise Mobility is heading to… with another post by Hugh.
It’s the essence of the whole story: Identity and Acces, now Enterpise mobility is not limited to the ‘identity technology’ anymore: consider”Advanced Threat Analytics, Secure Islands, Adallom, hybrid identity, devices and enterprise mobility management, Microsoft Identity Manager (MIM) including Privileged Access Management (PAM), new features in Microsoft’s Enterprise Mobility Suite, including changes in Azure Active Directory, Rights Management, and Intune… and more.

It’s damn clear that a specialist in Microsoft Identity & Access (eh sorry, Enterprise Mobility), will have plenty of work in the future.

That being said, here’s the short list.

References list of LinkedIn articles:

But that’s not all.
Recheck the Microsoft support lifecycle for the various products and save it for future reference:

 

*EDIT – 13/may/2016 … the discussion continues*
Above was the customer friendly version, as I’ve got quite some queries for details.
So it allows to explain that the pronounced dead essentially was a hoax.

On the FIM/MIM FB group, there was a very pertinent remark by Gil Kirkpatrick which I’m allowed to share here:

I’ve been utterly baffled at the public reaction to all of this… I’ve had probably a dozen people (a Kuppinger-Cole guy for chrissakes) tell me how MSFT has failed to crack the IAM market and how they’ve given up and EOL’d FIM/MIM, and now its a free-for-all and tha datacenter is on fire, and …, well you get the idea. It’s like nobody even bothered to read the announcement, and I don’t know, maybe look up some of the words in the dictionary if they were having trouble understanding it.”

+1

I personally think this is exactly the reason that David, Hugh and others (including me) have been fighting this hoax.

And I’ll not go into the view and recent reports of the market watchers, like Kuppinger-Cole and Gartner on Identity and Access, Identity Governance, .. whatever.
These are valuable if the reports are built on current, solid data.
But if a vendor does not participate in the survey for a year, or two, because their product stack is been overhauled and set ready for the future.. and therefore the ‘product suite’ does not fit to the market watchers categories (so it drops from the reports), it’s no reason to burry a product/vendor.

And certainly if these reports are published one year later… 
Things are moving fast, very fast.

Updated: 2020-12-30

Some new #MIM2016 CTP stuff on the Connect site

Check out the MIM 2016 connect site: https://connect.microsoft.com/site433.

The Identity and Access Management Connect site is used for:

– Microsoft Identity Manager 2016 SP1 Preview (MIM 2016 SP1)
– FIM Sync Connectors
– Azure Active Directory Sync Services

If you would like to try out this preview in a lab environment, it is available for download on Connect at  https://connect.microsoft.com/site433/Downloads

Check : https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=57668

If you do not see this available for download, ensure that “Active Directory Identity and Access Management CTP” is in your Connect programs list, or add this connect program from the directory https://connect.microsoft.com/directory/ .  You can provide feedback directly by email to aadmimfeedback@microsoft.com or in Connect site feedback.

It’s important to carefully check the description of the download: “These CTPs are intended solely for integration testing and to help us gather community feedback on specific changes or scenarios. As such these previews are for evaluation use only, and are not licensed, supported or intended for production use.  If you need updates for a production deployment of MIM, please contact your Microsoft support representative to ensure you have the latest hotfix for MIM 2016.”

Announcing the public availability of the #MIMWAL for #MIM2016 project, now available as an Open Source Project on GitHub

Source: https://social.technet.microsoft.com/Forums/en-US/e613bbd9-5a2a-46c2-8d91-5f1e0116521b/announcing-the-public-availability-of-the-mimwal-project-now-available-as-an-open-source-project-on?forum=ilm2

Announcing the public availability of the MIMWAL project, now available as an Open Source Project on GitHub.

The MIMWAL is a Workflow Activity Library (WAL) for building complex workflows in the Microsoft Identity Manager (MIM) 2016 and Forefront Identity Manager (FIM) 2010 R2 solution.

The WAL is a powerful solution accelerator for MIM / FIM that provides foundational activities which can be combined to create complex workflows to implement business processes within a MIM / FIM solution simply by configuration instead of coding for days and months.

MIMWAL Features

  • Building-block Workflow Activities
  • Conditional Execution Capability for Building-block Activities
  • Support for Iteration Over a Collection of Values in Building-block Activities
  • Deep Resolution Capability for FIM Lookup Grammar
  • Rich Library of Workflow Functions
  • UI Framework for Building Additional Custom Workflow Activities
  • Support for ETW Event Tracing
  • Optimization of Update Requests
    • Combining multiple updates into a single request per resource per activity
    • Issuing update request only when resource is actually modified.

More information

Please visit the MIMWAL site at http://aka.ms/MIMWAL for information on project source code, releases and documentation, and discussion forums.

Please post any questions or discussions about the MIMWAL project on this forum, which can also be found at http://aka.ms/MIMWAL/Forum

MIMWAL Links

FIM/MIM Licensing: clarification on the requirement to use CALs

Since the addition of the FIM Service and Portal in FIM 2010, the licensing model changed from a “server only” licensing to “server + CAL” licensing. (NOTE: CAL = Client Access License).

In April 2015 licensing update of FIM/MIM, the server license became virtually free.

The authoritative document that provides you with the full details is the PUR (Products Use Rights) document published by Microsoft.

See my post on the licensing change for all required info: http://aka.ms/LicenseToCAL. It does contain the links to the PUR (in various languages).

You can also check the TechNet Wiki page for the FIM/MIM licensing: http://aka.ms/LicenseToFIM)

 

In short: in general, you do NOT need to buy a FIM/MIM server license anymore, it’s included in the Windows Server license.

Still, keep in mind, some specific situations do require special/additional licenses: check the PUR.

You DO require CALs, which is mentioned by the PUR as:

“A CAL is also required for any person for whom the software issues or manages identity information.”

 

You can acquire FIM CALs via :

  • Forefront Identity Manager 2010 R2 User CAL (device CALs are not available), or
  • Enterprise Mobility Suite User SL, or
  • Microsoft Azure Active Directory Premium

The april 2015 licensing change caused quite some confusion on the CAL requirements (as the FIM/MIM server license became ‘free’…)
One of the important reasons was the following paragraph in the PUR (quote):

“/../

Synchronization Service

A CAL is not required for users only using the Forefront Identity Manager synchronization service. /../”

To rephrase this statement: if you ONLY use the FIM Sync engine, you DO NOT need to buy/acquire any license (you got server license free and CAL not required).

This essentially means that IF you do install the FIM Service (and probably the FIM portal to manage it) and you DO connect the FIM Sync engine to the FIM service via the FIM MA, you DO NEED CALs.

This also applies to BHOLD and FIMCM.

This is how it was phrased by one of the FIM/MIM/AADConnect program managers: “As soon as you have installed the FIM Service MA (or BHOLD or CM) then you have triggered a CAL for everyone in the MV. ” It’s not relevant if the users are in FIM Service or not.

This is also the reason for built-in declarative provisioning (without a need for the FIM Service MA) in Azure AD Connect sync… this puts the FIM/MIM licensing model on the same frequency as the Azure AD connect licensing.

Now, this perfectly answers the question of Henrik on my post on the licensing update.

His question was: “What if you install FIM/MIM Sync and Service, both included in Windows Server licensing but you choose not to add object mappings in FIM/MIM MA for users and groups… This will allow you to import filter based sync rules from FIM/MIM Service.”

The short answer is: you still need to acquire the CAL.

Summary

  • FIM/MIM server license is included in the Windows Server License
  • you DO NEED CALs for FIM/MIM
    • you can purchase CALS or acquire them via EMS/AAD premium/ECS
    • for EVERY person managed
  • 1 EXCEPTION:
    • if you ONLY use the FIM/MIM Sync Engine, you do not need CALs

I hope that this explanation helps you to better understand the FIM/MIM licensing.

Feel free to contact me via any channel if you have any feedback or questions.
Happy licensing!

Note-to-self: FIM/MIM hotfix download link failing

Some people reported that the download links to the recent hotfix failed…

The 4.3.2064.0 hotfix page is: https://support.microsoft.com/en-us/kb/3092179

MIMHotfixdownload

 

When you click the link, it forwards to

http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=3092179&kbln=en-us (or similar language)

You need to accept the EULA. (After reading it ! 😉 )

accept eula

Next you need to select the hotfix (only one to select).

Fill in your email and you’ll get the download link.

request mim hotfi

The link you receive in the mail should look like…

Package:

———————————————————–

———————————————————–

KB Article Number(s): 3092179

Language: All (Global)

Platform: x64

Location: (/<blah>/http%3a%2f%2fhotfixv4.microsoft.com%2fMicrosoft%2520Identity%2520Manager%2flatest%2fKB3092179%2f4.3.2064.0%2ffree%2f488603_intl_x64_zip.exe/<blah/)

 

But when you click that link, in some cases the encoded URL seems to fail, where the spaces, slashes, dashes and underscores weren’t decoded correctly.

By clicking the link the %2520 code is not correctly translated to a space…

To solve this, copy the URL text and paste the URL in your favorite browser.

 

It should guide you to: http://hotfixv4.microsoft.com/Microsoft%20Identity%20Manager/latest/KB3092179/4.3.2064.0/free/488603_intl_x64_zip.exe

Be prepared, this hotfix takes 213 MB of your bandwidth and disk…

 

 

 

 

 

 

 

 

Note-to-self: Exchange recipient administration rights in ILM/FIM/MIM

Another great post to bookmark, using the blog as my external memory again:
Check Paul Williams’ post at : http://blog.msresource.net/2011/12/02/exchange-recipient-administration-overkill-in-ilm-and-fim/

“What am I talking about?  Reducing the privilege required to perform Exchange recipient provisioning using the Active Directory Domain Services Management Agent (ADMA).  The default documentation on the subject clearly states that in order to provision mailbox-enabled users or linked mailboxes the ADMA account needs to be a member of the Recipient Administrators role group.  Now, while it’s true membership in that group will allow you to run Update-Recipient and successfully invoke the RUS after creating a user and stamping the mandatory Exchange attributes that same membership also grants you access to perform a multitude of recipient administration tasks that the account doesn’t need to perform.”

And also : http://blog.msresource.net/2011/12/14/delegating-the-minimum-set-of-permissions-for-mailbox-enabled-user-and-linked-mailbox-provisioning/