Solved

Identity management/MIM - application authentication - clarification?

Posted on 2016-09-06
5
49 Views
Last Modified: 2016-10-22
With identity management, something like Microsoft Identity Manager, does this mean that if you have an application on-premise, and you have A.) an Active Directory, and B.) an ADLDS also on-premise, that the application can authenticate a user from both A and B by connecting to an identity management server via LDAP instead?  
Is there a meta-verse where their login is created and password is sync'd from ADLDS or AD, and it the application authenticates against the meta-verse/MIM database?
0
Comment
Question by:garryshape
  • 3
  • 2
5 Comments
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
Comment Utility
No. MIM is not an authentication solution. It's designed primarily to allow multiple identity solutions to synchronize data between one another and ensure that user data only has to be created and managed in a single place. For instance, if you have Active Directory, an Employee resource application that stores things like employee review histories and whatnot, and some other application that manages payroll, MIM can be used to synchronize the identities between those applications so you only have to enter the user's data (Name, birthdate, etc) in a single location, rather than having to create new profiles for new employees in each application. It can also be used to automate tasks like Exchange Mailbox creation. It's also capable of synchronizing data in different AD Forests. The MIM synchronization service is basically what makes up the back-end of ADConnect for Office 365. When set up properly, you would log in to the MIM portal, create a new user in there, and MIM will run some processes based on the rules and workflows you set up to automate user account creation in AD, Exchange Mailbox creation, and create user profiles in any other application you may need.

It *is* technically possible to synchronize password hashes between applications like AD and AD LDS, but you would still authenticate against AD or AD LDS, not through MIM. If you want a solution that will allow you to use the same username and password to log in to multiple disconnected systems you would utilize a Federation solution like AD Federation Services (ADFS).

Now, you can use MIM and ADFS together, but all the authentication would be done with ADFS. MIM would just be used to map the user accounts in the two environments that you want centralized authentication for.
1
 

Author Comment

by:garryshape
Comment Utility
Awesome thanks for the explanation.
From what I was told, as you mentioned O365, is that you could create an account in Azure AD, and then sync it with an existing on-prem AD account? That's not possible, right? I've never heard of that, but someone told me that it's possible.
My understanding is you can only create the account in on-prem AD, and let it sync up to O365. There's no Azure AD or O365 to On-prem syncing, only the other way around -- unless you're utilizing the Password write-back feature...?
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
Comment Utility
If you have Azure AD Premium (4 dollars per user) you can do Directory write-back to sync Azure based accounts to the on-prem environment using AD Connect. I *think* you can also do the same with the E3/E5 O365 subscriptions, or whichever ones include the Enterprise Mobility Suite. Microsoft's service descriptions are not very detailed about which subscriptions support this feature, so I can't say for certain if *any* of the normal O365 subscription plans include it. That said, the Enterprise Mobility Suite includes Azure AD Premium, and can be added on to any O365 subscription.

If you have Office 365 with a bunch of users already created, once you enable ADConnect's sync it will automatically tie On-prem AD accounts with O365 accounts that have the same email address attributes, if you were wondering about that.
1
 

Author Comment

by:garryshape
Comment Utility
I meant to ask a follow-up here, if you don't mind responding again...
But, with an IDM like MIM, say you have self service Active Directory password reset scenario setup.
If one of the steps to resetting a password for a user is to text their mobile phone and/or e-mail their personal E-mail address, would you need their mobile phone # and personal e-mail inside an attribute on their AD user object?
Or would the MIM allow the reset tool to lookup that info in the IDM (i'm assuming SQL back-end database) to carry out?

Because I'm hearing here that Synchronization is the meat of an IDM, but, what good would syncing HR data be that in, say, an encrypted database, to a non-encrypted AD database where everyone by default has read-all access to that AD environment?
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Self service password reset by phone would depend on the features available by the solution you use. I haven't worked with MIM's solution for SSPR, but it does have its own database that could store that. Or it could pull it from AD data. Most third party apps use their own SQL back end to store security questions and stuff like that.

As for the encrypted/unencrypted question, you can customize things so specific information is not synced between applications. So not everything in an HR database will get copied to AD. Things like hire date, compensation, and other private info can remain untouched by the sync engine, while non private data like manager names, given names, and office numbers can sync up so you only have to change them in one place, rather than having to go through all applications making updates.

The primary benefit is reduced workload, but it does have to be properly managed.
1

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now