Microsoft Identity Manager 2016 Handbook电子书

Microsoft Identity Manager 2016 Handbook

Table of Contents

Microsoft Identity Manager 2016 Handbook

Credits

About the Authors

About the Reviewers

www.PacktPub.com

eBooks, discount offers, and more

Why subscribe?

Instant updates on new Packt books

Preface

The story in this book

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

1. Overview of Microsoft Identity Manager 2016

The Financial Company

The challenges

Provisioning of users

The identity life cycle procedures

Highly privileged accounts (HPA)

Password management

Traceability

The environment

Moving forward

The history of Microsoft Identity 2016

Components at a glance

MIM Synchronization Service

MIM Portal and Service

MIM Certificate Management

Role-Based Access Control (RBAC) with BHOLD

MIM Reporting

Privilege Access Management

Licensing

Summary

2. Installation

Capacity planning

eparating roles

Databases

MIM features

Hardware

Installation order

Prerequisites

Databases

Collation and languages

SQL aliases

SQL

SCSM

Web servers

MIM Portal

MIM password reset

MIM Certificate Management

MIM Service accounts and groups

The Kerberos configuration

SETSPN

Delegation

Installation

The MIM Synchronization service

The System Center Service Manager console

SharePoint Foundation

The MIM service and the MIM portal

The MIM Password Reset portal

MIM certificate management

SCSM management

SCSM Data Warehouse

Post-installation configuration

Granting the MIM service access to MIM Sync

Securing the MIM Service mailbox

Disabling indexing in SharePoint

Redirecting to IdentityManagement

Enforcing Kerberos

Editing binding in IIS for MIM Password sites

Registering the SCSM manager in data warehouse

MIM post-install scripts for data warehouse

Summary

3. MIM Sync Configuration

MIM Synchronization interface

Creating Management Agents

Active Directory

Least-privileged approach

Directory replication

Password reset

Creating AD MA

HR (SQL Server)

Creating an SQL MA

Creating a rules extension

The Metaverse rules extension

Indexing Metaverse attributes

Creating run profiles

Single or multi step

Schema management

MIM Sync versus MIM Service schema

Object deletion in MV

Initial load versus scheduled runs

Maintenance mode for production

Disabling maintenance mode

Summary

4. MIM Service Configuration

MIM Service request processing

The management policy

Service partitions

Included authentication, authorization, and action activities

Authentication activities

Authorization activities

Action activities

The MIM Service Management Agent

The MIM Service MA

Creating the FIM Service MA

The MIM MA filtering accounts

Understanding the portal and UI

Portal configuration

The navigation bar resource

Search scopes

Filter permissions

Resource Control Display Configurations

Custom activities development

Summary

5. User Management

Additional sync engine information

Portal MPRs for user management

Configuring sets for user management

Inbound synchronization rules

Outbound synchronization rules

Outbound Synchronization Policy

Outbound System Scoping Filter

Detected Rule Entry

Provisioning

Non-declarative provisioning

Managing users in a phone system

Managing users in Active Directory

The userAccountControl attribute

Provisioning users to Active Directory

Synchronization rule

Creating the set

Setting up the workflow

Creating the MPR

Inbound synchronization from AD

Temporal sets

Self-service using MIM Portal

Managers can see direct reports

Allowing users to manage their own attributes

Managing Exchange

Exchange 2007

Exchange 2010 and later

Synchronization rules for Exchange

Mailbox users

Mail-enabled users

More considerations

Summary

6. Group Management

Group scope and types

Active Directory

Group scope and type in MIM

Type

Scope

Member selection

Manual groups

Manager-based groups

Criteria-based groups

Modifying MPRs for group management

Managing groups in AD

Security and distribution groups

Synchronization rule

Installing client add-ins

Add-ins and extensions

Creating and managing distribution groups

Summary

7. Role-Based Access Control with BHOLD

Role-based access control

BHOLD role model objects

Organizational units

Users

Roles

Permissions

Applications

Other advanced features

Installation

BHOLD Core and other components

MIM/FIM Integration install

Patching

Access Management Connector

Creating the ODBC connection file

Creating the generic SQL connector for the BHOLD orgunit

Creating run profiles

Creating a BHOLD connector and sync rules

MIM/FIM Integration

Attestation

Reporting

Summary

8. Reducing Threats with PAM

Why deploy PAM?

PAM components

How does it work?

System requirements

Considerations

Our scenario

Preparing TFC

Preparing PRIV

Preparing the PAM server

Installing PAM

Installing PAM PowerShell cmdlets

DNS, trust, and permissions

Privileged groups, users, and roles

User experience

PAM in the MIM service

The sample PAM portal

Multi-factor authentication

Summary

9. Password Management

SSPR background

QA versus OTP

Installing self-service password reset

Enabling password management in AD

Allowing MIM Service to set passwords

Configuring MIM Service

Password Reset Users Set

Password Reset AuthN workflow

Configuring the QA gate

The OTP gate

The Phone gate

Require re-registration

SSPR MPRs

The SSPR user experience

SSPR lockout

Password synchronization

Password Change Notification Service

Summary

10. Overview of Certificate Management

What is certificate management?

Certificate management components

Certificate management agents

The certificate management permission model

Creating service accounts

Service Connection Point

The Active Directory extended permissions

The certificate templates permission

The profile template permission

The management policy permission

The software management policy

The smart card management policy

Summary

11. Installation and the Client Side of Certificate Management

Installation and configuration

Extending the schema

The configuration wizard

Creating certificate templates for MIM CM service accounts

The MIM CM User Agent certificate template

The MIM CM Enrollment Agent certificate template

The MIM CM Key Recovery Agent certificate template

Enabling the templates

Require SSL on the CM portal

Kerberos… oh, what a world!

Running the wizard

Backup certificates

Rerunning the wizard

The accounts

The database

Configuring the MIM CM Update service

Database permissions

Configuring the CA

Installing the MIM CM CA files

Configuring the Policy Module

Certificate management clients

Installing the MIM CM client

Modern App deployment and configuration

Configuration and deployment

Summary

12. Certificate Management Scenarios

Modern app and TPM virtual smart card

Creating a certificate template

Creating the profile

Testing the scenario

Using support for Non-MIM CM

Creating the software certificate

Creating the profile

Testing the scenario

Multiforest configuration

Step 1 – CM DNS setup

Step 2 – CM domain trust and configuration

Step 3 – CM forest configuration

Step 4 – CM enrollment configuration

ADFS configuration

Step 1 – the CM installation and prerequisites

Step 2 – the configuration wizard

Step 3 – continued configuration

Step 4 – the final test

Models at a glance

The centralized management model

The self-service model

The manager-initiated model

Summary

13. Reporting

Verifying the SCSM setup

Synchronizing data from MIM to SCSM

Default reports

The SCSM ETL process

Looking at reports

Allowing users to read reports

Modifying reports

Hybrid reporting in Azure

Summary

14. Troubleshooting

The basics

Operation statistics

A simple data problem

Rule extension debugging and logging

Rule extension logging

MIM service request failures

Debugging a custom activity

Increasing application logging

Password change notification service

Summary

15. Operations and Best Practices

Expectations versus reality

Automating run profiles

Best practices concepts

Backup and restore

Backing up the synchronization encryption key

Restoring the MIM synchronization DB

Restoring the MIM service DB and portal

Additional backup considerations

Operational health

Database maintenance

SQL best practices

MIM synchronization best practices

MIM portal best practices

Other best practices

Summary

Index