Identity management/MIM - application authentication - clarification?

With identity management, something like Microsoft Identity Manager, does this mean that if you have an application on-premise, and you have A.) an Active Directory, and B.) an ADLDS also on-premise, that the application can authenticate a user from both A and B by connecting to an identity management server via LDAP instead?  
Is there a meta-verse where their login is created and password is sync'd from ADLDS or AD, and it the application authenticates against the meta-verse/MIM database?
Who is Participating?
Adam BrownSr Solutions ArchitectCommented:
If you have Azure AD Premium (4 dollars per user) you can do Directory write-back to sync Azure based accounts to the on-prem environment using AD Connect. I *think* you can also do the same with the E3/E5 O365 subscriptions, or whichever ones include the Enterprise Mobility Suite. Microsoft's service descriptions are not very detailed about which subscriptions support this feature, so I can't say for certain if *any* of the normal O365 subscription plans include it. That said, the Enterprise Mobility Suite includes Azure AD Premium, and can be added on to any O365 subscription.

If you have Office 365 with a bunch of users already created, once you enable ADConnect's sync it will automatically tie On-prem AD accounts with O365 accounts that have the same email address attributes, if you were wondering about that.
Adam BrownSr Solutions ArchitectCommented:
No. MIM is not an authentication solution. It's designed primarily to allow multiple identity solutions to synchronize data between one another and ensure that user data only has to be created and managed in a single place. For instance, if you have Active Directory, an Employee resource application that stores things like employee review histories and whatnot, and some other application that manages payroll, MIM can be used to synchronize the identities between those applications so you only have to enter the user's data (Name, birthdate, etc) in a single location, rather than having to create new profiles for new employees in each application. It can also be used to automate tasks like Exchange Mailbox creation. It's also capable of synchronizing data in different AD Forests. The MIM synchronization service is basically what makes up the back-end of ADConnect for Office 365. When set up properly, you would log in to the MIM portal, create a new user in there, and MIM will run some processes based on the rules and workflows you set up to automate user account creation in AD, Exchange Mailbox creation, and create user profiles in any other application you may need.

It *is* technically possible to synchronize password hashes between applications like AD and AD LDS, but you would still authenticate against AD or AD LDS, not through MIM. If you want a solution that will allow you to use the same username and password to log in to multiple disconnected systems you would utilize a Federation solution like AD Federation Services (ADFS).

Now, you can use MIM and ADFS together, but all the authentication would be done with ADFS. MIM would just be used to map the user accounts in the two environments that you want centralized authentication for.
garryshapeAuthor Commented:
Awesome thanks for the explanation.
From what I was told, as you mentioned O365, is that you could create an account in Azure AD, and then sync it with an existing on-prem AD account? That's not possible, right? I've never heard of that, but someone told me that it's possible.
My understanding is you can only create the account in on-prem AD, and let it sync up to O365. There's no Azure AD or O365 to On-prem syncing, only the other way around -- unless you're utilizing the Password write-back feature...?
garryshapeAuthor Commented:
I meant to ask a follow-up here, if you don't mind responding again...
But, with an IDM like MIM, say you have self service Active Directory password reset scenario setup.
If one of the steps to resetting a password for a user is to text their mobile phone and/or e-mail their personal E-mail address, would you need their mobile phone # and personal e-mail inside an attribute on their AD user object?
Or would the MIM allow the reset tool to lookup that info in the IDM (i'm assuming SQL back-end database) to carry out?

Because I'm hearing here that Synchronization is the meat of an IDM, but, what good would syncing HR data be that in, say, an encrypted database, to a non-encrypted AD database where everyone by default has read-all access to that AD environment?
Adam BrownSr Solutions ArchitectCommented:
Self service password reset by phone would depend on the features available by the solution you use. I haven't worked with MIM's solution for SSPR, but it does have its own database that could store that. Or it could pull it from AD data. Most third party apps use their own SQL back end to store security questions and stuff like that.

As for the encrypted/unencrypted question, you can customize things so specific information is not synced between applications. So not everything in an HR database will get copied to AD. Things like hire date, compensation, and other private info can remain untouched by the sync engine, while non private data like manager names, given names, and office numbers can sync up so you only have to change them in one place, rather than having to go through all applications making updates.

The primary benefit is reduced workload, but it does have to be properly managed.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.