Microsoft Identity Manager – MIM – 2016 Service Pack 1

The first Service Pack for Microsoft Identity Manager – MIM – 2016 (released in October 2016) contains important new functionality as well as bug fixes.

In this blog, I will provide a brief overview of some of the new functionality which Oxford Computer Group has already incorporated into its training courses.

You may also be interested in viewing the recording of my webinar A User’s Guide to MIM with Service Pack 1 which you can view at the foot of this page.

Cross-Browser Support

For the first time since FIM 2010 was released, we now have support for Chrome, Safari and Firefox. This opens many use cases which were previously restricted, where users need to use MIM functions on iPads or other non-Microsoft platforms, and in general where Internet Explorer is not supported or permitted. This applies to the password portals as well as to the main MIM portal itself.

Support for Exchange Online

Prior to the release of SP1, FIM and MIM were only able to use Exchange Online for notifications: approvals have required an on-premises Exchange server. With this Service Pack, it is possible to have the MIM Service monitor an Exchange Online mailbox for approval traffic, so that we no longer need to maintain Exchange on-premises to support MIM’s approval functionality.

PAM PowerShell Scripts

Privileged Account Management is an existing feature of MIM 2016 (see information about our training course on PAM ). The deployment of PAM involves the installation of a number of components in a high-availability configuration – and this can be laborious and prone to error. With the release of the service pack, a set of installation scripts are included, which make this installation more straightforward.

PAM Just-In-Time Admin applies to the Privileged Domain

The Privileged Access Management functionality focuses on securing access to sensitive permissions in an organizations main (“Corporate”) Active Directory forest. Two key components of this approach to securing permissions are:

  • Separation of accounts used for sensitive administration into a distinct Active Directory forest (the ‘Privileged’ forest)
  • ‘Just-In-Time’ administration, granting permissions only when they are required.

In the initial release of PAM, only permissions from the corporate forest can be made available for Just-In-Time use. With this Service Pack release, permissions in the Privileged forest itself (which are, let’s face it, also sensitive) can be made available as JIT permissions.

Updated Platform Support

MIM 2016 SP1 has been upgraded to be supported with the most up-to-date Microsoft platforms, such as Windows Server 2016 and SQL Server 2016.

Hardened Security

The MIM Service accounts can now be configured to be part of Authentication Policies and Authentication Policy Silos. This means that you can configure limitations on authentication protocols supported, as well as the computers which can be accessed using these accounts. Because the service accounts have permissions to access (for example) the encryption keys and (thus) target system passwords in the synchronization service, and perhaps also to run scripts in a privileged context, theft prevention is important. By limiting the number of computers accessible, and perhaps by limiting the lifetime of the Kerberos TGT, you can reduce the attack surface presented by MIM itself.


Want to know more?