Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Identity management/MIM - application authentication - clarification?

Posted on 2016-09-06
Medium Priority
Last Modified: 2016-10-22
With identity management, something like Microsoft Identity Manager, does this mean that if you have an application on-premise, and you have A.) an Active Directory, and B.) an ADLDS also on-premise, that the application can authenticate a user from both A and B by connecting to an identity management server via LDAP instead?  
Is there a meta-verse where their login is created and password is sync'd from ADLDS or AD, and it the application authenticates against the meta-verse/MIM database?
Question by:garryshape
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 42

Assisted Solution

by:Adam Brown
Adam Brown earned 2000 total points
ID: 41787117
No. MIM is not an authentication solution. It's designed primarily to allow multiple identity solutions to synchronize data between one another and ensure that user data only has to be created and managed in a single place. For instance, if you have Active Directory, an Employee resource application that stores things like employee review histories and whatnot, and some other application that manages payroll, MIM can be used to synchronize the identities between those applications so you only have to enter the user's data (Name, birthdate, etc) in a single location, rather than having to create new profiles for new employees in each application. It can also be used to automate tasks like Exchange Mailbox creation. It's also capable of synchronizing data in different AD Forests. The MIM synchronization service is basically what makes up the back-end of ADConnect for Office 365. When set up properly, you would log in to the MIM portal, create a new user in there, and MIM will run some processes based on the rules and workflows you set up to automate user account creation in AD, Exchange Mailbox creation, and create user profiles in any other application you may need.

It *is* technically possible to synchronize password hashes between applications like AD and AD LDS, but you would still authenticate against AD or AD LDS, not through MIM. If you want a solution that will allow you to use the same username and password to log in to multiple disconnected systems you would utilize a Federation solution like AD Federation Services (ADFS).

Now, you can use MIM and ADFS together, but all the authentication would be done with ADFS. MIM would just be used to map the user accounts in the two environments that you want centralized authentication for.

Author Comment

ID: 41787130
Awesome thanks for the explanation.
From what I was told, as you mentioned O365, is that you could create an account in Azure AD, and then sync it with an existing on-prem AD account? That's not possible, right? I've never heard of that, but someone told me that it's possible.
My understanding is you can only create the account in on-prem AD, and let it sync up to O365. There's no Azure AD or O365 to On-prem syncing, only the other way around -- unless you're utilizing the Password write-back feature...?
LVL 42

Accepted Solution

Adam Brown earned 2000 total points
ID: 41787165
If you have Azure AD Premium (4 dollars per user) you can do Directory write-back to sync Azure based accounts to the on-prem environment using AD Connect. I *think* you can also do the same with the E3/E5 O365 subscriptions, or whichever ones include the Enterprise Mobility Suite. Microsoft's service descriptions are not very detailed about which subscriptions support this feature, so I can't say for certain if *any* of the normal O365 subscription plans include it. That said, the Enterprise Mobility Suite includes Azure AD Premium, and can be added on to any O365 subscription.

If you have Office 365 with a bunch of users already created, once you enable ADConnect's sync it will automatically tie On-prem AD accounts with O365 accounts that have the same email address attributes, if you were wondering about that.

Author Comment

ID: 41855654
I meant to ask a follow-up here, if you don't mind responding again...
But, with an IDM like MIM, say you have self service Active Directory password reset scenario setup.
If one of the steps to resetting a password for a user is to text their mobile phone and/or e-mail their personal E-mail address, would you need their mobile phone # and personal e-mail inside an attribute on their AD user object?
Or would the MIM allow the reset tool to lookup that info in the IDM (i'm assuming SQL back-end database) to carry out?

Because I'm hearing here that Synchronization is the meat of an IDM, but, what good would syncing HR data be that in, say, an encrypted database, to a non-encrypted AD database where everyone by default has read-all access to that AD environment?
LVL 42

Expert Comment

by:Adam Brown
ID: 41855743
Self service password reset by phone would depend on the features available by the solution you use. I haven't worked with MIM's solution for SSPR, but it does have its own database that could store that. Or it could pull it from AD data. Most third party apps use their own SQL back end to store security questions and stuff like that.

As for the encrypted/unencrypted question, you can customize things so specific information is not synced between applications. So not everything in an HR database will get copied to AD. Things like hire date, compensation, and other private info can remain untouched by the sync engine, while non private data like manager names, given names, and office numbers can sync up so you only have to change them in one place, rather than having to go through all applications making updates.

The primary benefit is reduced workload, but it does have to be properly managed.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question