Identity management/MIM - application authentication - clarification?

Posted on 2016-09-06
Last Modified: 2016-10-22
With identity management, something like Microsoft Identity Manager, does this mean that if you have an application on-premise, and you have A.) an Active Directory, and B.) an ADLDS also on-premise, that the application can authenticate a user from both A and B by connecting to an identity management server via LDAP instead?  
Is there a meta-verse where their login is created and password is sync'd from ADLDS or AD, and it the application authenticates against the meta-verse/MIM database?
Question by:garryshape
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 41787117
No. MIM is not an authentication solution. It's designed primarily to allow multiple identity solutions to synchronize data between one another and ensure that user data only has to be created and managed in a single place. For instance, if you have Active Directory, an Employee resource application that stores things like employee review histories and whatnot, and some other application that manages payroll, MIM can be used to synchronize the identities between those applications so you only have to enter the user's data (Name, birthdate, etc) in a single location, rather than having to create new profiles for new employees in each application. It can also be used to automate tasks like Exchange Mailbox creation. It's also capable of synchronizing data in different AD Forests. The MIM synchronization service is basically what makes up the back-end of ADConnect for Office 365. When set up properly, you would log in to the MIM portal, create a new user in there, and MIM will run some processes based on the rules and workflows you set up to automate user account creation in AD, Exchange Mailbox creation, and create user profiles in any other application you may need.

It *is* technically possible to synchronize password hashes between applications like AD and AD LDS, but you would still authenticate against AD or AD LDS, not through MIM. If you want a solution that will allow you to use the same username and password to log in to multiple disconnected systems you would utilize a Federation solution like AD Federation Services (ADFS).

Now, you can use MIM and ADFS together, but all the authentication would be done with ADFS. MIM would just be used to map the user accounts in the two environments that you want centralized authentication for.

Author Comment

ID: 41787130
Awesome thanks for the explanation.
From what I was told, as you mentioned O365, is that you could create an account in Azure AD, and then sync it with an existing on-prem AD account? That's not possible, right? I've never heard of that, but someone told me that it's possible.
My understanding is you can only create the account in on-prem AD, and let it sync up to O365. There's no Azure AD or O365 to On-prem syncing, only the other way around -- unless you're utilizing the Password write-back feature...?
LVL 40

Accepted Solution

Adam Brown earned 500 total points
ID: 41787165
If you have Azure AD Premium (4 dollars per user) you can do Directory write-back to sync Azure based accounts to the on-prem environment using AD Connect. I *think* you can also do the same with the E3/E5 O365 subscriptions, or whichever ones include the Enterprise Mobility Suite. Microsoft's service descriptions are not very detailed about which subscriptions support this feature, so I can't say for certain if *any* of the normal O365 subscription plans include it. That said, the Enterprise Mobility Suite includes Azure AD Premium, and can be added on to any O365 subscription.

If you have Office 365 with a bunch of users already created, once you enable ADConnect's sync it will automatically tie On-prem AD accounts with O365 accounts that have the same email address attributes, if you were wondering about that.

Author Comment

ID: 41855654
I meant to ask a follow-up here, if you don't mind responding again...
But, with an IDM like MIM, say you have self service Active Directory password reset scenario setup.
If one of the steps to resetting a password for a user is to text their mobile phone and/or e-mail their personal E-mail address, would you need their mobile phone # and personal e-mail inside an attribute on their AD user object?
Or would the MIM allow the reset tool to lookup that info in the IDM (i'm assuming SQL back-end database) to carry out?

Because I'm hearing here that Synchronization is the meat of an IDM, but, what good would syncing HR data be that in, say, an encrypted database, to a non-encrypted AD database where everyone by default has read-all access to that AD environment?
LVL 40

Expert Comment

by:Adam Brown
ID: 41855743
Self service password reset by phone would depend on the features available by the solution you use. I haven't worked with MIM's solution for SSPR, but it does have its own database that could store that. Or it could pull it from AD data. Most third party apps use their own SQL back end to store security questions and stuff like that.

As for the encrypted/unencrypted question, you can customize things so specific information is not synced between applications. So not everything in an HR database will get copied to AD. Things like hire date, compensation, and other private info can remain untouched by the sync engine, while non private data like manager names, given names, and office numbers can sync up so you only have to change them in one place, rather than having to go through all applications making updates.

The primary benefit is reduced workload, but it does have to be properly managed.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question