Firstly, let's establish Azure Active Directory (AAD) is used for:
In a nutshell, it allows you to create federated and synchronised contact information between one or many active directory domains with one or many Azure active directory domains.
Here is an example of where you could use federation using AAD Connect. This is part of a wider architecture that allows you to integrate your SCOM monitoring data with Azure Log Analytics in OMS, using multi-factor authentication:
The predecessor to Microsoft Identity Manager is Forefront Identity Manager, known as FIM, and with mainstream support ending in October this year and end of life expected in 2022.
MIM has all the features of FIM plus a few more. Here is a great overview of MIM, which builds on the existing FIM features.
From my own experiences with FIM, MIM and AAD Connect, my thoughts are that it depends on the specific level of control you need.
For example, if you have customised your Active Directory schema heavily and you have apps in your forest that use these customised data items, then you'll likely need more control and flexibility with your on-premise AD to Azure AD data synchronisation settings. Especially if you decide to move or migrate the apps that are utilising the custom meta-data, to the cloud.
Another use-case is if you wish to use one of the inbuilt connectors to help federate between internal systems and AD on-premise. FIM comes with 3 connectors for example:
Microsoft Identity Manager does a great job of allowing you set custom synchronisation rules to provide that level of granularity. This article is based on the FIM sync rules, but still applies to MIM.
Unfortunately, AAD Connect is also a moving target with features being constantly released that make it less feasible to use MIM.
After a bit of digging around to find out the specific use cases, I found this great article on TechNet.
It clearly outlines all the key features that AAD currently support and that FIM supports. As you can see there are many features that are marked in AAD as 'future release'. But at the time of writing the following features were only supported with MIM:
I also found this incredible resource, with outlines very clearly all the architectural patterns that are supported with AAD Connect.
And here are some of the diagrams from the link showing the patterns:
And there you have it. A very quick summary of resources that will help you decide whether to go AAD Connect or MIM for your organisation.
I always recommend the to start with a test setup of AAD Connect and a copy of your on-premise AD and simply identify several different use-case scenarios that you currently encounter.
I think it's most likely that 80% of the time AAD Connect will be enough. The 20% being service providers hosting multiple clients with complex active directory requirements, or companies that have 100's of domains spread across several countries, with connections to internal systems for advanced identity federation.
And yes, some clients really do have 100's of domains…..
Paul Colmer is the lead digital architect ALC Training and Consulting. He is responsible for creating and running all the cloud security courses, which include CCSP, AWS, Azure, Office 365 and cloud foundation certifications. For more information visit: https://www.alctraining.com.au/courses/cloud-computing/
Or engage with Paul on his crazy adventures on twitter: @musiccomposer1 using the hashtag #CCSP
Why nation-state attacks are everyone’s problem
Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.
With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.
An interview with CSO's David Braue and Ian Yip, Chief Technology Officer, McAffee.
According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities