Go Premium for a chance to win a PS4. Enter to Win


Identity management/MIM - application authentication - clarification?

Posted on 2016-09-06
Medium Priority
Last Modified: 2016-10-22
With identity management, something like Microsoft Identity Manager, does this mean that if you have an application on-premise, and you have A.) an Active Directory, and B.) an ADLDS also on-premise, that the application can authenticate a user from both A and B by connecting to an identity management server via LDAP instead?  
Is there a meta-verse where their login is created and password is sync'd from ADLDS or AD, and it the application authenticates against the meta-verse/MIM database?
Question by:garryshape
  • 3
  • 2
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 2000 total points
ID: 41787117
No. MIM is not an authentication solution. It's designed primarily to allow multiple identity solutions to synchronize data between one another and ensure that user data only has to be created and managed in a single place. For instance, if you have Active Directory, an Employee resource application that stores things like employee review histories and whatnot, and some other application that manages payroll, MIM can be used to synchronize the identities between those applications so you only have to enter the user's data (Name, birthdate, etc) in a single location, rather than having to create new profiles for new employees in each application. It can also be used to automate tasks like Exchange Mailbox creation. It's also capable of synchronizing data in different AD Forests. The MIM synchronization service is basically what makes up the back-end of ADConnect for Office 365. When set up properly, you would log in to the MIM portal, create a new user in there, and MIM will run some processes based on the rules and workflows you set up to automate user account creation in AD, Exchange Mailbox creation, and create user profiles in any other application you may need.

It *is* technically possible to synchronize password hashes between applications like AD and AD LDS, but you would still authenticate against AD or AD LDS, not through MIM. If you want a solution that will allow you to use the same username and password to log in to multiple disconnected systems you would utilize a Federation solution like AD Federation Services (ADFS).

Now, you can use MIM and ADFS together, but all the authentication would be done with ADFS. MIM would just be used to map the user accounts in the two environments that you want centralized authentication for.

Author Comment

ID: 41787130
Awesome thanks for the explanation.
From what I was told, as you mentioned O365, is that you could create an account in Azure AD, and then sync it with an existing on-prem AD account? That's not possible, right? I've never heard of that, but someone told me that it's possible.
My understanding is you can only create the account in on-prem AD, and let it sync up to O365. There's no Azure AD or O365 to On-prem syncing, only the other way around -- unless you're utilizing the Password write-back feature...?
LVL 43

Accepted Solution

Adam Brown earned 2000 total points
ID: 41787165
If you have Azure AD Premium (4 dollars per user) you can do Directory write-back to sync Azure based accounts to the on-prem environment using AD Connect. I *think* you can also do the same with the E3/E5 O365 subscriptions, or whichever ones include the Enterprise Mobility Suite. Microsoft's service descriptions are not very detailed about which subscriptions support this feature, so I can't say for certain if *any* of the normal O365 subscription plans include it. That said, the Enterprise Mobility Suite includes Azure AD Premium, and can be added on to any O365 subscription.

If you have Office 365 with a bunch of users already created, once you enable ADConnect's sync it will automatically tie On-prem AD accounts with O365 accounts that have the same email address attributes, if you were wondering about that.

Author Comment

ID: 41855654
I meant to ask a follow-up here, if you don't mind responding again...
But, with an IDM like MIM, say you have self service Active Directory password reset scenario setup.
If one of the steps to resetting a password for a user is to text their mobile phone and/or e-mail their personal E-mail address, would you need their mobile phone # and personal e-mail inside an attribute on their AD user object?
Or would the MIM allow the reset tool to lookup that info in the IDM (i'm assuming SQL back-end database) to carry out?

Because I'm hearing here that Synchronization is the meat of an IDM, but, what good would syncing HR data be that in, say, an encrypted database, to a non-encrypted AD database where everyone by default has read-all access to that AD environment?
LVL 43

Expert Comment

by:Adam Brown
ID: 41855743
Self service password reset by phone would depend on the features available by the solution you use. I haven't worked with MIM's solution for SSPR, but it does have its own database that could store that. Or it could pull it from AD data. Most third party apps use their own SQL back end to store security questions and stuff like that.

As for the encrypted/unencrypted question, you can customize things so specific information is not synced between applications. So not everything in an HR database will get copied to AD. Things like hire date, compensation, and other private info can remain untouched by the sync engine, while non private data like manager names, given names, and office numbers can sync up so you only have to change them in one place, rather than having to go through all applications making updates.

The primary benefit is reduced workload, but it does have to be properly managed.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question