Note-to-self: Exchange recipient administration rights in ILM/FIM/MIM

Another great post to bookmark, using the blog as my external memory again:
Check Paul Williams’ post at : http://blog.msresource.net/2011/12/02/exchange-recipient-administration-overkill-in-ilm-and-fim/

“What am I talking about?  Reducing the privilege required to perform Exchange recipient provisioning using the Active Directory Domain Services Management Agent (ADMA).  The default documentation on the subject clearly states that in order to provision mailbox-enabled users or linked mailboxes the ADMA account needs to be a member of the Recipient Administrators role group.  Now, while it’s true membership in that group will allow you to run Update-Recipient and successfully invoke the RUS after creating a user and stamping the mandatory Exchange attributes that same membership also grants you access to perform a multitude of recipient administration tasks that the account doesn’t need to perform.”

And also : http://blog.msresource.net/2011/12/14/delegating-the-minimum-set-of-permissions-for-mailbox-enabled-user-and-linked-mailbox-provisioning/

Note-to-self: #FIM2010 Virtualisation support

Nowadays, it’s not a hot topic anymore, rather a common practices to run your FIM / MIM environment in a virtualized setup.
Still once in a while we do get questions about virtualization support for FIM/MIM.

Bookmark the sources below, as it might be useful to retrieve the answer quickly.

First, more general to check is: the Windows Server Catalog (http://www.windowsservercatalog.com/).
On that catalog page you find the link to the Server Virtualization Validation Program site (http://www.windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm).

“Please visit the Server Virtualization Validation Program site for more information on validated solutions and available support.” 

That page mentions:

“Information on Microsoft’s support policy for Hyper-V and Azure can be found at:


“The information provided by the Microsoft Application Support Policy is for guidance purposes only. Please visit the Products listing to review the latest information available ”

Microsoft Server Software and Supported Virtualization Environments points to this KB article : https://support.microsoft.com/nl-be/kb/957006

It explicitly refers to Forefront Identity Manager as:

“Microsoft Forefront Identity Manager 2010
Microsoft Forefront Identity Manager 2010 and later versions are supported.”

Just as a side step, the Products Listing page (on http://www.windowsservercatalog.com/results.aspx?&bCatID=1521&cpID=0&avc=0&ava=0&avq=0&OR=1&PGS=25), has the latest updates on Windows Server 2012 and later…

In the left side menu bar you’ll find OS Compatibility and Processor architecture:

OS compatibility

Supports Windows Server 2012 R2
Supports Windows Server 2012
Supports Windows Server 2008 R2
Supports Windows Server 2008

Processor architecture

Windows Server 2012 R2 (x64)
Windows Server 2012 (x64)
Windows Server 2008 R2 (x64)
Windows Server 2008 (x64)
Windows Server 2008 (x86)

Another side note, for support lifecycle the KB article refers to http://support.microsoft.com/?pr=lifecycle.
But, for FIM 2010 / MIM 2016 there is an easier short cut you should use :

FIM 2010: https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Microsoft%20Forefront%20Identity%20Manager&Filter=FilterNO

MIM 2016 (also include FIM2010 info): https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Microsoft%20Identity%20Manager&Filter=FilterNO

For future use, this info has also been published on TNWIki, you can use this short URL http://aka.ms/FIM2010Virtualisation and http://aka.ms/MIM2016Virtualisation.


Note-to-self: Installing the Microsoft Identity Manager 2016 (4.3.1935.0) Service and Portal – Upgrade from FIM 2010 R2

Source: http://blogs.msdn.com/b/connector_space/archive/2015/08/05/installing-the-microsoft-identity-manager-2016-4-3-1935-0-service-and-portal-upgrade-from-fim-2010-r2.aspx

Great work from Anthony Marsiglia (FIM Devil)

#MIM2016 now officially published and generally available

Source: http://blogs.technet.com/b/ad/archive/2015/08/06/microsoft-identity-manager-2016-is-now-ga.aspx

As many of the FIMsters already knew by the updates on MSDN/VL downloads and the update on the TechNet Center,.. is now also officially announced by the FIM/MIM product group.

You can read the full details at: http://aka.ms/MIM2016.

Shai Kariv points to a few interesting links in the announcement.

“Please refer to the official Microsoft communication here and here for the available channels for getting the final product version. ”

This is :

And also

This major new version of Identity Manager is an overall modernization of capabilities and experiences relative to the previous version, FIM 2010 R2.

We added programmatic interfaces such as a RESTful API and PowerShell commands, and expanded the supported operating systems, server products and browser versions based on customer input.

Additionally, we’re very proud about some of the innovations introduced in this product version, in the areas of Security (privileged identity management), Hybrid identity management, new self-service capabilities, and new certificate management experiences.

For more extensive information about Microsoft Identity Management features and themes, check out previous posts in this blog: here, here, here, and here.

Great news for Windows 10 users! Microsoft Identity Manager not only adds experiences for Windows 10, but actually it has greater value for you, because it leverages the intrinsic Windows Server 2016 new Active Directory capabilities: time-limited group memberships and foreign principal groups.”

And as a reminder:

Also take a look at the updated licensing scheme for FIM and MIM 2016.

Note-to-Self: #MIM2016 online documentation is live

Just got the news that the MIM 2016 online documentation is published.

You can find the Microsoft Identity Manager 2016 Developer Reference at: http://aka.ms/mim2016devref

It contains:

On TechNet you can find the MIM 2016 Technical Library at:http://aka.ms/mim2016techref

Get your #MIM2016 – download available on MSDN/VL

Source: FIM2010 FB Group As noticed by other FIM community members, the software bits of MIM 2016 are published on MSDN… mim2016_on_MSDN And an updated product website is in the air: http://www.microsoft.com/en-us/server-cloud/products/microsoft-identity-manager/ So one can expect that an announcement on the MIM2016 GA (General Availability) is on it’s way…

See also: http://www.zdnet.com/article/microsoft-identity-manager-2016-starts-rolling-out/

Note-to-self: a new build of the #MIM2016 CTP on Microsoft Connect (Milestone CTP4, 4.3.1935.0)

Last update, in april, the FIM/MIM product group posted MIM beta-build  4.3.1790.0.
Yesterday the MIM PG has posted new build install files on Connect. (4.3.1935.0).

You’ll notice this set of data only has the install files and hasn’t got the VMs anymore…

Release date, RTM, GA getting close?

New MIM vNext CTP (CTP4) posted on Microsoft Connect #FIM2010 #MIM2015, now #MIM2016

Source: http://blogs.technet.com/b/ad/archive/2015/04/21/microsoft-identity-manager-public-preview-updated.aspx

Today the FIM/MIM product group posted a new version of the MIM vNext CTP on Microsoft Connect (Milestone CTP4, 4.3.1790.0)

Head over to the Microsoft Connect site at https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=57668

As you’ll see quickly you’ll need 35GB free space now, to download the documents and VMs.

In addition to the new functionality, if you carefully read the list of downloads we have got a new product name:

Microsoft Identity Manager 2016.

CTP3 MIM CM with Modern App TLG.docx 5,38 MB Download
PRIVDC.zip 6.429,13 MB Download
CORPDC.zip 7.438,93 MB Download
CORPWKSTN.zip 7.461,45 MB Download
PAMSRV.zip 13.791,65 MB Download
MIM install 4.3.1790.0.zip 158 MB Download
MIM CTP Test Lab Guide for Privileged Access Management.docx 474 KB Download
TLG – MIM2016 Deployment.docx 8,98 MB Download
TLG – MIM2016 RC Self-Service Login Assistance (SSPR+SSAU) with Azure MFA.docx 4,05 MB Download

The beta release can be downloaded as following:

#FIM2010 & MIM 2016 licensing model is changing as of 1st of april 2015

Source: http://www.microsoft.com/licensing/products/products.aspx

Download the “Microsoft Product Use Rights (WW, English, April 2015)” document at http://www.microsoftvolumelicensing.com/userights/Downloader.aspx?DocumentId=8488 In short, prior to 1st of april 2015, you required

  • a FIM server license for every FIM server installed and a CAL for every user managed in the FIM Service, or
  • Forefront Identity Manager 2010 R2 External Connector
Functionality Covered by
FIM Server Components (FIM Sync, FIM Services, FIM portal, …) FIM Server SKU
CAL Standalone FIM CAL, or Azure Active Directory Premium (AADP), or Enterprise Mobility Suite (EMS) User, orEnterprise Cloud Suite (ECS) User SL
External Users FIM External Connector license (per server)

After 1st of april 2015:

  • Windows Server license (Standard & Datacenter) will include FIM server entitlement
  • FIM Server 2010 R2 licenses will not be available anymore on the price lists
Functionality Covered by
FIM Server Components (FIM Sync, FIM Services, FIM portal, …) Windows Server license (Standard & Datacenter) will include FIM server entitlement
CAL Standalone (FIM) CAL, or Azure Active Directory Premium (AADP), or Enterprise Mobility Suite (EMS) User, or Enterprise Cloud Suite (ECS) User SL
External Users Windows Connector license

Certificate and Identity Management

  • A CAL is also required for any person for whom the software issues or manages identity information.

Synchronization Service

  • A CAL is not required for users only using the Forefront Identity Manager synchronization service.

From the PUR:

  • External Connector License means a license attached to a Server that permits access to the server software by External Users.
  • External Users means users that are not either your or your Affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents.
  • CAL means client access license. There are two kinds of CALs: user and device. A user CAL allows access to the server software from any device by one user. A device CAL allows access to the server software from one device by any user.

FIM / MIM is using a user CAL. The FIM server will no longer be sold as a separate license, but instead Windows Server licenses will allow customers to install the FIM Server software. Since FIM users already required a Windows Server CAL or equivalent to access FIM running on Windows Server, no additional Windows Server CALs (or Windows Server External Connector) will be required. Still it’s important to understand that you still need FIM/MIM CALs to manage identities with FIM/MIM (unless you only use the FIM/MIM Sync). Azure Active Directory Premium (AADP) and any suite that contains AADP, including Enterprise Mobility Suite (EMS) and Enterprise Cloud Suite (ECS) or a additive FIM CAL will also entitle users to access FIM. MIM will have the same licensing model. All current FIM customers with active SA on the underlying Windows Server, (since the right to install FIM server is now granted with a Windows Server license), will have rights to upgrade to MIM when it launches. And for my Dutch speaking followers… Tous la même chose:

PS: The FIM licensing page on TechNet Wiki will be updated ASAP (http://aka.ms/LicenseToFIM)

[ADD-ON, Jan 2016]