Why and how to move on from Microsoft Identity Manager 2016?

Identity governance

MIM (formerly Forefront Identity Manager, and Identity Lifecycle Manager before that) is a widely used service for managing user lifecycles and access rights in Active Directory.  

Right now, it is moving into well-earned retirement phase. But don’t worry, it’s not the end of the world. There are tools you can use in its place, and there’s still time to move to another service. 

Key points:

  • Do you still need Microsoft Identity Manager?
  • How to replace it?
  • Where to begin with migrating from MIM?

Is Microsoft Identity Manager reaching end of life?

In simple terms, yes. It is no longer actively developed by Microsoft. Mainstream support for MIM ended in January 2021. Azure AD Premium customers can get extended support until 2026.

Still, for many organizations, it is time to look for a replacement.

Microsoft has turned its focus to Azure AD. Can it really replace MIM entirely?

As we consultants like to say: it depends. Let’s have a look at what you can use to manage identities and up your IAG game.

What does Microsoft Identity Manager do?

MIM can synchronize your Active Directory with multiple external systems to centralize the management of user accounts. Its key features include:

  1. Identity management – including user on- and offboarding, attribute synchronization, and self-service profile management
  2. Group management – for manual, manager-based, and dynamic groups, featuring self-service workflows and access request & approval process
  3. Credential management – with self-service functionalities, MFA, and password synchronization
  4. Policy management – covering authentication, authorization, codeless provisioning, and a SharePoint-based admin portal.

This is just a snapshot of its capabilities. MIM also facilitates RBAC (with BHOLD), PAM, certificate management and reporting, and many other functionalities.

For on-premises environments, it has been the cornerstone of Identity and Access Management for a very long time.

Do you need Microsoft Identity Manager?

There are some scenarios where MIM still performs very well. This is especially true for environments based largely on-premises. Example use cases include:

  • Frequent user on/offboarding, e.g. in hospitality or retail industries
  • Automating Microsoft 365 license management
  • Helping with MS Teams management
  • Facilitating quick synchronization during mergers & acquisitions (possible with the addition of Azure B2B to allow guests to a tenant)
  • Office 365 contact synchronization between tenants
  • On-premises synchronization from AD to other directories and applications
  • The need for compliance and meeting audit requirements.

You can also build custom workflows and connectors to integrate the platform with internal systems, such as CISCO Unified Communications Manager.

Want more updates like this? Leave your email address to get the latest insights every two weeks. Subscribe

What to replace MIM with?

Does it mean MIM is the only option for identity management? Not necessarily. Especially considering that MIM will soon be decommissioned, it is a good time to start looking at alternatives.

The closest replacement is, of course, Azure AD. It has a range of features that enable simple identity and access management for internal and external users.

If you’ve got a cloud-first or hybrid environment, it’s a perfect choice.

Disadvantages of using MIM

Some important functionalities are not available in Microsoft Identity Manager 2016. These include:

  • Reporting and auditing
  • Passwordless authentication
  • Compliance and governance tools
  • Access review and Entitlement Management.

If you’re looking to upgrade your identity and access governance, use Azure AD to plug these gaps.

Disadvantages of using Azure AD

Particularly for on-premises environments, there are some features in MIM that are currently not available in Azure AD. They include:

  • Role-Based Access Control (RBAC) for on-premises resources including access management, role mining, segregation of duties, attestation campaigns, and reporting
  • Privileged Access Management (PAM) for on-premises AD DS environment with just-in-time access to security groups
  • Certificate Management for managing the complete life cycle of smart cards and software-based certificates
  • Audit Reports covering identity and access governance including identity attribute change log, role management, and access attestation.
Pro tip:

You could build your own solution to cover these functionalities, but they can be costly and time-consuming. There are already services on the market, such as Omada (disclaimer: they are our partner in the IAM space) or CyberArk.

They have the necessary integrations available out-of-the-box, so you may be able to take advantage of them instead. They are fully compatible with MIM, so you could use them during the transition period.

What’s the strategy for moving on from Microsoft Identity Manager 2016?

MIM was great for on-premises environments, but with more and more organizations moving towards the cloud, they’re starting to look for cloud-based replacements.

As we’ve indicated, Azure AD is the closest substitute. By adding third-party tools you can easily replace all of MIM’s features, and add many new ones.

Quick wins:

  1. Onboard Omada Identity and conduct access reviews for critical business applications and systems
  2. Follow Omada’s Identity Process+ to introduce essential identity governance functionalities, like onboarding, transfer, offboarding, and access requests
  3. Define contexts and resource assignment policies for default access and standard permissions
  4. Migrate existing MIM connectors to Omada Identity.

Here are the first steps to developing your MIM migration roadmap:

  1. Review your MIM implementation. What are the key functionalities you use and need to migrate?
  2. Reduce the dependency on MIM 2016 infrastructure by implementing the quick wins listed above
  3. Consider Azure AD Identity Governance for simple governance of your cloud resources.
  4. Enable SSO for on-premises and SaaS applications with Azure AD SSO
  5. Evaluate Omada Identity for hybrid access governance. Start by introducing the key elements alongside your MIM implementation.
Pro tip:

To see which services to replace your MIM functionalities with, check out our dedicated guide below. Note that all included functionalities are available in Azure AD natively and no additional customization is required.

Click the image below to download the PDF.

A guide to MIM feature replacement

Click the image to download the infographic

In need of MIM platform support? Get in touch and we’ll help you out.

Key takeaways:

  1. Microsoft Identity Manager is being decommissioned. Review the functionalities you use and start mapping them to other tools like Azure AD, Omada, or others.
  2. It’s a good time to review your identity governance plan. Include its elements, like RBAC and reporting, in any change you’re planning.
  3. Additional Azure AD features are available in preview. Check your internal policies before implementing them.