3-Day Course
Course History and Future Events
- London, U.K. - June 6 thru 8, 2018
- Wheaton, IL, U.S. - September 14-16, 2017
- Reykjavik - September 8, 2017
Overview
This is a three-day educational tear down of a modern Microsoft Identity Manager (MIM) based identity management solution. This is performed for customers who have a properly developed MIM solution. This is similar to course A980, which is a Deconstruction of a Classic Microsoft Identity Manager solution.
This course is included with the SoftwareIDM Operational Services for Microsoft Identity Manager.
Audience
Audience Type 1: This course is provided to customers who want their solution deconstructed for their identity management team. It is an ideal method for teaching the staff how their MIM solution is architect-ed and developed.
Audience Type 2: This course is provided to companies and professionals who want to deconstruct a properly assembled but complex model Microsoft Identity Management solution.
Delivered Securely
We train companies and governments on their custom MIM solution built, tested, and monitored using Identity Panel, MIM DevTest, MIM Rule Extensions, PowerShell extensions, Uplift, and Portal Rules. When course M981 is applied to a specific customer, the course is delivered securely, with only the customer and approved third parties present (i.e. their integrator or consultants).
Benefits
Too many companies run a highly complex identity lifecycle systems but lack the internal knowledge to full support and develop the solution. Even a third party can't help, if they don't know solution any better then the customer. That is where SoftwareIDM comes in. By deconstructing your solution in a classroom, students learn not on the underlying technology, but how it is configured and operating at you organization.
Organizations can also learn from our tear-down system. These are MIM solution model after other organization using modern MIM architecture and development methods. These allow student to understand further how MIM operates security and quickly in the real world. Each student will walk away with improvement they can make to their own customers or employers MIM solution.
Companies financially benefit when employees understand the systems they are supporting. We are often asked to quantify this amount. We have observed that a well-informed team can be 30% more productive or better. For a trained three-person team, at $200K total cost per team member per year, this can amount to as much as $180K p.a.
Instructors
Peter Sidebotham and Todd Mollerup have been developing MIM solution for the Fortune 500 for 15 years. They are also the people behind Identity Panel Suite of products.
Your instructors, Peter Sidebotham, MCPD, Todd Mollerup, MCSE, MCSD
Course Outline
Determine Current State
For any existing MIM environment we recommend you start by collating the following:
-
For sites where the MIM Sync Service is installed (almost all of them) ...
- MIM Sync Server config (exported from your MIM Sync service)
-
For sites where the MIM Service/Portal is installed (not everyone has this) ...
- MIM Service Schema and Policy exports:
- Output from microsoft/MIMConfigDocumenter | GitHub … specifically, a DIFF report comparing the above XML config files to the baseline configuration version 4.4.1459.0 (supplied with the tool, this precedes the default BHOLD policy, so expect some "noise" in the report)
-
Note that as per the guidance you will need to specify the reportType patameter to suit your environment:
- SyncOnly for only a MIM Synchronization Engine
- ServiceOnly for only the MIM Service and Portal
- SyncAndService for both
-
Note that as per the guidance you will need to specify the reportType patameter to suit your environment:
- Output from the Identity Panel As-built Documenter (if Identity Panel is already deployed)
- Any rules extension and custom workflow libraries presently in use (obtain source code if you can)
- Any operations scripts and configuration files
- A report of the latest MIM Sync errors and failed requests
- An estimate of the total number of connectors and disconnectors per MA
- An indication of any MA that may be present but no longer operational or perhaps partially operational
Then, if you have Identity Panel already deployed, add to this the exported JSON of the configuration (Settings / Settings History / Download All Current Settings):
Next Steps
Determine Projected State
Having assessed your maturity, you now know what successful HyperSync implementation looks like, are you able to articulate a clear set of numbered requirements against which you can measure success? From experience, it is generally unwise to just assume that your current MIM solution when coupled with HyperSync must already be meeting whatever they are, and therefore you don't need to worry. This is especially true if your MIM solution has been in place for a number of years, most likely before Zero Trust was a concept.
A better approach instead is to take the time to come up with a list of functional and non-functional requirements, then take a critical look at exactly how well they are being met by your current MIM platform (with or without Identity Panel).
No two MIM implementations are ever the same, and that's because everyone's IAM needs are different, or at least expressed in a different way. However, at SoftwareIDM we've developed the SoftwareIDM Patterns and Practices Toolkit which we believe represent the most common requirements broken out into a hierarchy under broad joiner/mover/leaver (JML) categories, along with operational considerations. By using the Toolkit you can then cross-reference your own numbered requirements against them, and in some cases inspect the HyperSync implementation patterns that we believe provide the soundest approach to implementation.
This approach means that what could otherwise lead to the invariable "analysis paralysis" instead becomes a straight-forward correlation exercise. As a result you will understand what degree of overlap you have with our pattern library, disregarding the things you don't need, or adding new things of your own.
Take care at this stage not to dismiss any requirement as invalid - far better to raise them with us or our experienced IAM solutions partner. It may be as simple as identifying an extra Entra feature to consider, or applying some other infrastructure or technology that you may already have in a slightly different way. At the very least mark it as out-of-scope for the time being.
The above will help us prioritize, quantify and scope the work effort required.
Phased Migration
One of the benefits of the Identity Panel Suite is that it allows a phased implementation instead of forcing you into a "big bang" style transition. Regardless, the platform also provides you with an Operational and Migration Safeguard to ensure your transition is clean, and any outage is minimized.
Based on experience, a typical HyperSync Migration approach would look something like the following (simplified for one Non-production and one Production operational environment):
-
Implement Identity Panel (IdP)
If not already present, we believe overlaying Identity Panel (IdP) on your existing MIM platform is the obvious first step. This will give you the following immediate benefits:- Purchase licenses from SoftwareIDM (including new Azure Marketplace option)
- Read product documentation relating to the deployment, including
-
Install and Configure MIM Test – SoftwareIDM (identitypanel.com)
Test Panel for MIM is the key to a successful migration.- Configure Panel Service for use with a GMSA – SoftwareIDM (identitypanel.com)
- Configure tenant to host Identity Panel (preferred) or configure hosting server virtual infrastructure (incl. certificates, firewall rules, service accounts), for all environments including non-Production (at least one) and Production
- Implement MIM and/or AAD Connect Providers (non-production), plus any other relevant providers (e.g. Workday, ServiceNow, Salesforce, etc.)
- Implement Join rules for all Providers (MIM and/or AAD Connect at a minimum) to enable Time Traveler and audit change history prior to migration across entire identity landscape
- Streamline configuration migration using global environment settings and changes history
- Configure Identity Panel for MIM operations with built-in dashboards, scheduling (with optional thresholds) and pending changes reporting
- Implement extensions for Health Checks
- Configure Test Panel for automated regression testing and automated deployments (optional)
- Configure Service Panel for custom forms to assist in the transition (optional)
- Export configuration and deploy (inactive) to Production, updating imported environment variables to match
- Bring Production configuration online and decommission existing MIM operations (e.g. scripts, Task Scheduler, etc.)
-
Generate your initial HyperSync configuration
(New) An Automated Conversion from MIM to HyperSync option is now available to avoid the need to perform the initial "heavy lifting" exercise that would otherwise be required at this point. This will create an initial draft configuration which you can then complete manually - e.g. coding of generated Custom Rule Functions - with the aid of the generated As-Built documentation. -
Implement HyperSync Panel (Inbound)
Configure HyperSync side-by-side with MIM Synchronization to achieve rule convergence (Non-production)- Hyperverse schema to match your MIM Metaverse schema (to drive inbound convergence)
- Add a Provider for each system connected to MIM via a Management Agent
- Configure join rules for each new Provider
- Inbound attribute Flow rules and rule sets, with custom functions and rule precedence for each of the following:
- Each MIM Management Agent to be migrated
- MIM Service Management Agent
- Any additional contributing sources (e.g. Azure for M365 group membership)
- Stateful sync rules and rule sets (can be initially disabled and progressively brought online)
-
Implement HyperSync Panel (Outbound)
Extend HyperSync side-by-side with MIM Synchronization to achieve rule convergence (Non-production)- Outbound attribute Flow rules, workflows and rule sets, with custom functions and rule precedence (initially disabled for progressively bringing online)
- Enable HyperSync outbound rule sets in SIMULATION MODE
- Design operations schedules
- Disable MIM outbound attribute flows
- Run the HyperSync Actions Report (filtered on Simulation Mode only)
- Refine rules/rerun until rule convergence (no net changes pending)
- Design and execute regression Test Cases (optional)
- Simulate and commit selected identity outbound flows individually
- Set global Simulation Mode prior to migration
- Export configuration
- Update GIT repository (best practice)
-
Migrate configuration to Production
Deploy in the following sequence:- Environment Settings Settings - Identity Panel
- Providers Settings - Identity Panel (depends on #1 Environment)
- Extensions Settings - Identity Panel (depends on #2 Providers)
- Join Rules Settings - Identity Panel (depends on #2 Providers)
- Run data scans ONLY after this step!
- Dashboards Settings - Identity Panel
- Email (Panel Service) Settings - Identity Panel
- Security Settings - Identity Panel
- Extensions Settings - Identity Panel
- HyperSync Panel Settings - Identity Panel
- After import immediately go to HyperSync Panel Settings - Identity Panel
-
Confirm "Simulation Mode" ON (bottom right of section)
- Reports Settings - Identity Panel
- Schedules Settings - Identity Panel
- Service Panel Settings - Identity Panel
- Test Panel Suite Settings - Identity Panel
-
Initial Data Load and Synchronization
- Perform schema scans with each directory provider.
- Edit partition selections
- Set Condition Rules
- Perform Data scans of each provider with Panel Tool
- Use Time Traveller to Validate joined data
-
Verify and Enable HyperSync (go-live part #1)
- Enable import rules for HyperSync and Perform full syncs to populate Hyperverse
- Enable Export Preview and preview select accounts to Verify Pending Exports/Operations
- Enable Global Simulation Mode and run full synchronization (set checkbox ON/CHECKED)
- Note: should already be disabled!
- Run the HyperSync Actions Report (filtered on Simulation Mode only) to verify Pending Exports/Operations
- Make configuration edits as needed
- Refine and rerun report as often as needed until convergence achieved
- Preview Commit Changes for selected accounts to verify exports/stateful provisioning
- Provide heightened support
- Generate Documentation, such as
- As Built
- Operations Guide
- Deliver training
-
Migrate MIM Portal Functionality - Custom Forms
- Design Service Panel dashboards and forms, with projected datasets from Identity Panel (Non-production)
- Implement workflows and any HyperSync actions (e.g. direct updates to Hyperverse, including any required auxiliary attributes - see selected patterns from the Toolkit)
- Identify MIM Policy for obsoletion
- Design and execute regression Test Cases (optional)
- Export configuration
- Update GIT repository (best practice)
- Deploy to Production (details to be prepared separately)
- Obsolete superseded MIM policy
- Update documentation and provide training
-
Migrate MIM Portal Functionality - Access Governance (IGA)
- Design Access Panel dashboards and forms (Non-production)
- Implement Access Panel, including any user, group and other resource mappings
- Identify MIM Policy for obsoletion
- Design and execute regression Test Cases (optional)
- Export configuration
- Update GIT repository (best practice)
- Deploy to Production (details to be prepared separately)
- Obsolete superseded MIM policy
- Update documentation and provide training
Be sure to practice and refine the above process with your own environment before your own go-live, as there are invariably going to be additional steps that will be unique for you.
Comments
0 comments
Please sign in to leave a comment.