Grafvision - Fotolia


Features and benefits of Microsoft Identity Manager 2016

Microsoft Identity Manager 2016 eases synchronization between identities on-premises and in the cloud while allowing admins to monitor user behavior.

This year is shaping up to be the year of identity synchronization. With small and medium-sized businesses moving...

wholesale to the cloud, and other businesses running certain workloads in the cloud while maintaining apps on premises, administrators struggle to synchronize user names and passwords. So, how do you make sure users have one identity that applies everywhere and is managed properly over the entire employee lifecycle?

In Azure cloud, administrators can use Microsoft Identity Manager 2016. This latest version is aimed to fully manage the synchronization of identities between your existing on-premises Active Directory forest and an Azure Active Directory instance. It improves users' ability to solve problems with items like self-service password management, dynamic group membership, which enables users to add and remove themselves and others from specific security groups -- subject to delegation by the forest administrator or his or her designee -- and easier certificate management (if that's possible). Finally, Microsoft Identity Manager 2016 enables reporting and auditing so admins can see who is doing what, what service they're using and in which environment they're working.

Identity Manager capabilities

The secret sauce to Identity Manager 2016 is in the connections. The tool links up two directories, so one user can have one account that lives in both places; changes are automatically synchronized. Identity Manager is even more extensible than on-premises Active Directory because it works with SAML and other federation technologies to provide single sign-on and authorization capabilities to lots of apps -- even third-party services such as DocuSign, contract signing service and Salesforce.

Of course, all of the plumbing that worked in the product's predecessor -- Forefront Identity Manager 2010 R2 -- still works, allowing admins to automate the creation of Windows accounts as well as others. And you get very useful monitoring so that you can set up SID history audits, for example, to detect nefarious activity. Admins can also set up active watches over very privileged and sensitive group memberships to see if people are somehow adding themselves to administrator groups without permission.

Identity Manager 2016 also works with new features in Windows Server 2016, such as time-limited group memberships. It also includes several new PowerShell cmdlets. A portion of that new PowerShell support includes the Just Enough Administration model, or JitJea, which exposes just enough rights at just the right moment to get something done before taking them away. JitJea can protect against compromised user accounts and other malware.

Microsoft put a lot of work into interoperability; Identity Manager 2016 is plumbed throughout with RESTful APIs that make it easy for third parties -- in either script or app form -- to call the tool to perform identity management tasks like adding authorizations, handling memberships and more. Identity Manager also works with other applications such as Oracle and PeopleSoft, as well as standards-based authentication utilities like PAM on Linux and Unix. The product is well versed in both on-premises and cloud technologies.

Availability, pricing and licensing

Identity Manager 2016 is licensed with user client access licenses; admins can also get an entitlement to IM 2016 by purchasing the Enterprise Mobility Suite. The suite includes Azure Active Directory Premium, Azure Rights Management to secure data within your borders, and Microsoft Intune for managing Windows devices and non-domain joined machines from a central, cloud-based console.

On the server side, shops need a Windows Server license with Software Assurance -- the subscription piece that gives additional rights and covers updates within one or two years of your original license agreement date -- to install the connector piece that Identity Manager 2016 requires. Several companies have Windows Server licenses, but making Software Assurance a requirement, as it's sometimes a 30% to 60% premium over the license, might put Identity Manager 2016 out of reach for some shops.

Identity Manager 2016 is generally available and ready for download from Microsoft.  A deployment toolkit should be available later this year to help deploy IM 2016 in a secure way using a guided template.

Next Steps

Fill the identity management void with these SaaS tools

Manage user identity and access with Azure Active Directory

Prepare for Active Directory in the cloud

Dig Deeper on Microsoft Azure cloud services