First published on CloudBlogs on Nov, 18 2014
Howdy folks,
Back in April, we
blogged
about the vNext release of Microsoft Identity Manager (a.k.a. "MIM", the product formerly known as Forefront Identity Manager).
Today I have the privilege to let you know that we have released the first public preview of MIM. I've asked Sharon Laivand from our MIM PM team in Herzliya Israel to do a detailed write up the information of the new capabilities that are in preview mode. I am REALLY excited about many of the new capabilities in MIM, particularly the work to add Privileged Account Management support. This has been a BIG request from customers and I'm thrilled that we are going to be able to support these scenarios.
With that, I'll turn it over to Sharon.
Best Regards,
Alex Simons (Twitter:
@Alex_A_Simons
)
Director of Program Management
Identity and Security Services Division
--------------------------------
Greetings everyone!
I'm really happy to have the opportunity to tell you about all of the new capabilities we've released today in the first preview of Microsoft Identity Manager.
A little background: What is Microsoft Identity Manager (MIM)?
MIM is the new name of the next major release for the formerly called -
Forefront Identity Manager
(FIM). We schedule MIM release to the first half of calendar year 2015.
MIM (like FIM 2010 R2) will be part of the Azure Active Directory Premium (AADP) offering. So if you are already an AADP subscriber, you can benefit from the existing FIM capabilities and upcoming MIM goodies.
MIM is an on-prem Identity and Access Management (IAM) system. As such it reduces the complexity of managing the identity lifecycle in organizations. This is done by automating some key IAM tasks, including:
What will be new in MIM?
Our investments in MIM are grouped into three:
In addition to the new contents in MIM, we have changed the way we deliver it. As part of MIM, we will constantly provide you with preview executables which you can test in your lab environments. This will be a good opportunity for you to provide feedback BEFORE the product is released and an opportunity for us to apply feedback in a timely manner.
You can see more details about MIM in the recent
TechEd Europe 2014 session
.
Our first public preview is here
In last week's TechEd MIM session, we promised that the public preview is almost here, and now it is really here! We call our new preview CTP (Community Technology Preview) and we expect to have some more refresh points (e.g. CTP2) in the coming months, lighting up more capabilities. The new capabilities available now in the CTP are detailed below.
New in this CTP: Privileged Access Management, Isolation and elevation
To make the story PAM short, you can watch
this
video demo.
With this new capability the privileged access is managed in two steps.
The first step is about
better protection of
privileged accounts
: the privileged accounts and groups are copied (or migrated) to a dedicated forest – the privileged forest. In addition, the privileged groups are automatically cleared from users after the pre-defined expiration time. This is done in an automated manner by running a PowerShell command let.
In the following screenshot, you can see what the migration PowerShell command-let looks like:
In addition to creating groups and users in the privileged forest, you will have to define a PAM role. A PAM role defines the PAM role name, the expiry time (TTL) and candidate users for this role. This could be defined in both MIM portal and by PowerShell. The following screenshots shows what it looks like in the portal:
The second step is about
privileged access step-up
: when someone wants to use a privileged access, she first has to step-up, this means obtaining the actual access privileges for a resource. This could be done by a PowerShell command-let or by using a new GUI that could be developed by using MIM's new PAM REST API (The PAM REST API will be available in later CTPs). Under the hood, in the privileged forest, the system populates the right privileged group with the right privileged user. However, unlike in standard security groups, the access privileges will not stay there forever. The group membership and the high privileges will automatically be removed accordingly, after a pre-configured amount of time. This is a major part of our privileged access protection, called Just-In-Time (JIT) step-up.
In the following screen shot, you can see what the elevation PowerShell command-let looks like:
New in this CTP: Password Reset with Azure MFA
To make the SSPR with MFA story short, you can watch
this
video demo.
In FIM 2010 R2, the self-service password reset (SSPR) enabled two authentication gates:
-
Questions and answers
-
OTP
Now we add another authentication gate: Azure MFA.
With Azure MFA, the end-user who wishes to reset her password will receive a phone call from Azure, and will be prompted to enter a PIN code.
This combined MIM and AAD capability makes it easier to deploy phone based authentications, because as a MIM administrator you do not have to subscribe to a 3
rd
party SMS delivery provider or telecom carrier, you just have to join AAD.
For the information worker (IW), registering for SSPR and resetting passwords is just as easy as in FIM 2010 R2, as shown it the following screenshot.
For the IAM admin, lighting up this functionality is easy as adding an action to the SSPR flow, see this screenshot:
Note: AAD also has an SSPR functionality, some further details are
here
.
New in this CTP: Updates to Certificate Manager
To make the CM modernization story short, you can watch
this
video demo.
We have introduced a new Windows Store style application (modern windows application) that enables you to accomplish self-service tasks that have to do with smart cards, virtual smart cards, and certificate management.
So, for example you can enroll yourself a new virtual smart card in just a few clicks. You can also renew, reset the certificate PIN (unblock your smart card) or delete a certificate/smartcard.
This is what it looks like:
In addition, the modern windows application functionality relies on a new REST API. The new CM REST API can be used not only for the modern app, but also do develop your own CM customized portal.
The REST API is protected by OAuth2, and the access to the API can be authenticated by AD FS. Also, you can now require strong authentication to log onto the app, so the end- users will need more than a username and password to install a virtual certificate.
.
The new CM REST API enables another important scenario. An information worker can now enroll a new certificate/virtual smart card even when she his device is not domain joined. This brings me to a personal story:
Last weekend on my way to TechEd, my virtual smart card had expired, so I could not authenticate to my VPN, and therefore could not renew my virtual smart card (and therefore could not authenticate to my VPN…got it?)
Immediately I recalled that I take part of our internal CM Windows Store app preview, so I have used it to renew my virtual smart card, and gained back VPN access. Isn't this awesome?
New in CTP2: Modernized Supported Platforms
In addition to the new capabilities, we have extended out platform support matrix to:
-
Windows server 2012 R2
-
Sharepoint 2013
-
SQL 2014
-
Exchange 2013
-
Visual Studio 2013 (to support extension development)
-
Exchange 2013
In addition, our PAM functionalities can make use of Windows Server 10.
What is next?
In this blog, we have told our story. Now it is time to hear you!
In addition:
-
We encourage you to
email
us for every comment or feedback.
-
You can learn more about MIM
here
-
You can learn more about FIM
here
Finally:
Stay Tuned
, some more capabilities and goodies for MIM are right around the corner, we plan to provide you with additional capabilities in the next 2-3 months.
Thank you, and see you in the next MIM Preview!
Sharon Laivand, Program Manager