MIM (Microsoft Identity Manager) as a service is fundamentally an identity data sync service. It will pull from various sources such as HR databases, ERP’s, Email Systems, Active Directory, Oracle’s Banner database, etc. It allows control over what objects from these sources it syncs such as user’s, groups, and permissions. All of these are flexible and can be modified at any point to fit an organization’s needs. This can be done by custom extensions or attributes even that directly and more accurately reflect what an organization would like to see in their environment.
Another big feature that comes with MIM is the provisioning/deprovisioning of accounts as they come in through the desired source’s. MIM can enable and disable accounts at any point deemed necessary through automatic rules a company can set in place or manually. Attribute synchronization is also available, this is made possible by building a schedule in which the service will sync all attributes of objects in the metaverse and write back out to where they are directed to.
Password synchronization is a huge portion of the MIM service. Passwords are handled differently from other attributes. They are propagated real time and handled securely by the service. This is a very complex service that manages multiple data sources.
MIM allows for two main ways of handling passwords. This is password synchronization or user-based password management. By utilizing MIM as a service and taking advantage of the password reset functionality you’re gaining these benefits:
- Reducing the number of passwords individual users must remember. The average number of work passwords a regular user is expected to remember is 8.5. This leads to bad practices such as leaving passwords out in plain sight, storing them insecurely in text documents on a computer, or changing them all to be the same. All of these pose a great risk to any organization.
- Syncing password changes across numerous services and accounts. If in the case of a user forgetting their password or getting compromised the sync engine allows the ability to change or set the password across all accounts for any number of user’s.
- Utilizing Active Directory as a main password authoritative source. This could extend to having user’s change their password in AD and push it out to all their other systems.
- And perform all password managements in real time, independent of the regular MIM operations. This eliminates any response gap from the moment of needing a password change and actually implementing one.
Now that we have gone over a brief intro into MIM and its password service let’s talk about the web portal. The MIM web portal allows for a variety of services.
- Distribution Groups (DGs)
- Creating groups
- Managing groups
- Viewing all known groups
- Joining a group
- Security Groups (SGs)
- Same as Distribution Groups
- Users, profiles, and passwords
- Editing profile
- Requesting password reset
- Approve requests
- See all sent requests