Enterprise Mobility and Security Blog

RSS

Howdy folks,

I'm going to be out for the next few days getting the rotator cuff on my right shoulder repaired. While I'm out, a few other folks are going to be guest blogging.

First up is Sharon Laivand, a Senior Program Manager in our Microsoft Identity Manager team. He's going to share details on the latest Public Preview release of Microsoft Identity Manager.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity and Security Services Division

——————————

Greetings Everyone,

I'm Sharon Laivand from the Microsoft Identity Manager team. You might recall that Alex announced the first public preview for Microsoft Identity Manager vNext (MIM). In case you didn't read that post, MIM is the new name of the next major release for the product formerly called Forefront Identity Manager. MIM is scheduled to be generally available later in the first half of 2015. Today, we are excited to update you with our progress: we have refreshed the preview with the following list of features & scenarios:

  • Privileged Access Management (PAM): support for running with Windows Server 2012 R2 domain controllers in addition to Windows Server vNext domain controllers, a new REST API and code sample web portal, new enterprise grade PowerShell cmdlets and a new PAM security monitoring service with one way trust between PAM forest and CORP forest.
  • Certificate Management (CM): Client Certificate Management REST API and a Modern Application that leverages it with an updated user experience, Cross forest cert support, CM server side event logging and new self-configured Performance counters.
  • Password Self Service: Self Service Account Unlock alongside Self Service Password Reset
  • In place upgrade from FIM 2010 R2 to MIM vNext

Updates in the Privileged Access Management (PAM) scenario

In the previous public preview, MIM required that the domain controller of the forest holding the privileged user accounts be running Windows Server vNext. In this update, we've added support for Windows Server 2012 R2. We have updated (and shrunk) the test lab guide for the PAM scenario, so that you can try out the core features of elevating a user with Just-in-Time Access, using GA versions of Windows Server as a prerequisite. You can set up a MIM test lab for PAM with a server for MIM itself, a Windows Server 2012 R2 domain controller, and connect it to your AD development environment with an one-way trust.

 

After the MIM PAM system is deployed, the existing Active Directory will continue to have users and groups added, modified and deleted. However, some changes may impact the PAMs system security. For example, if all the users in a security group were migrated to "Just in Time" privileged access management, and suddenly a new user appears in this group, this may indicate a problem. To provide more visibility, in this update we've added a specialized AD monitoring service to MIM. This monitoring service watches for changes applied to security groups in the existing Active Directory environment. When it detects changes, such as users being added directly to groups, it writes events to the event log in the PAM environment, which can then be retrieved by your organization's security monitoring (SIEM) tools. This makes it easier to efficiently monitor your Active Directory for inadvertent or anomalous changes to administrative access.

Next, since PowerShell cmdlets are the main tool for interacting with Microsoft Identity Manager for the PAM scenario in this update there are many new and improved PowerShell cmdlets to administer PAM. Type Get-Command -Module MIMPAM to find out more!

 

Finally, we're introducing a new REST API into MIM, for the PAM scenario. This enables elevation requests to be embedded in your organization's existing tools for administrators, without needing to have the tools wrap PowerShell or the existing MIM SOAP API. We will also provide a sample portal that demonstrates how this API can be used.

 

Updates in the Certificate Management (CM) scenario

MIM includes a modern application that leverage a new REST API to enroll virtual smartcards for a Windows 8.1 computer. This update enhances the user experience and adds new scenarios the Virtual Smartcard Certificate Manager application:

  • Enrolling a virtual smart card
  • Enrolling a software certificate
  • Enrolling for a certificate with server-generated keys (PFX)
  • Enrolling certificates on an existing virtual smartcard
  • Recovering a deleted certificate
  • View certificate details (Issuer, Thumbprint, etc…)

In addition, the CM administration has also been updated with new performance counters and windows events, and enables the configuration of the privacy and support links which appear in the Windows app.

 

 

Updates in the Password Management Self-Service scenario

With the increasing growth of BYOD (bring your own device) scenarios, we've added new features to MIM to deal with both the password and account management problems associated with these devices. In one common scenario, a user changes their domain password from a PC, but sometime later, finds their account has been locked. This can happen if the user's old password was also stored in one or more mobile devices, which continually retry logins with that password, such as to synchronize email. Windows Server 2012 R2 added extranet lockout policies to ADFS, but there are still scenarios where a user has been locked out and just wants to unlock their account, without needing to change their password or contact helpdesk.

In this preview refresh we are introducing self-service account unlock (SSAU), as an extension to the existing feature for self-service password reset (SSPR). This uses the existing gates and configuration for SSPR, and gives the end user an additional choice. Once they have re-verified their identity, they can choose to unlock their account without selecting a new password.

 

 

In-place Upgrade

One of the concerns that we have received during the community preview, is about the upgrade path from existing FIM 2010 R2 deployments to MIM vNext. Our goal is to make the upgrade experience backward compatible and as smooth as possible.

In this preview update we are adding the ability to upgrade FIM 2010 R2 to MIM vNext. The upgrade will be done by using the MSI files, as in the past.

In this preview, the in-place upgrade has been tested for the Sync component only.

 

What's next?

If you're interested in these capabilities for on-premises and private cloud identity management, kindly download the refreshed preview, follow the Test Lab Guides to try them out and provide feedback. You can download the refreshed preview from the same Connect site as before, simply:

  • Register at the Connect site and sign in
  • Join to the CTP program  (or search for:  "Active Directory Identity and Access Management CTP")
  • Download documents, product binaries and VMs and try the scenarios
  • Provide Feedback via the connect feedback form

In addition to trying out the public preview yourself, you can also learn more about MIM from this video recorded at TechEd Europe. In addition, there will be more updates at the Microsoft Ignite conference, including Upgrading from FIM to Microsoft Identity Manager and Azure Active Directory. We hope to see you there!

As always, we would love to get any feedback or suggestions you have.

Thank you,

Sharon Laivand