JefTek created a niche hybrid tool that tackles a few pieces of the sync and service puzzle in a way that none of the others do.
One noteable one for sync:
Get
and Export MIM Deltas to CSV (based on a drop file either stop and drop or the
audit log dropped during the export
It is great for setting up SharePoint and the Kerberos authentication to it.
While it doesn't do all that IS4U-FIM-PowerShell (see my review), does or Lithnext resourcemanagement-powershell or Lithnet-miis-powershell (see my review), or even the he FIM PowerShell Module (see my review), it fills a small niche that none of the rest of them do. This is a solid contribution!
My quest to discover and teach Best Practices in Identity Management especially with Microsoft FIM / ILM -- David Lundell of Identity Managed
Friday, March 31, 2017
Open Source: Review of FIM 2010 PowerShell Cmdlets
Gil Kirkpatrick (a great guy, fellow MVP, who has taught me a lot over the years) created one of the very first, if not the first, PowerShell commandlets libraries to manage FIM/MIM service. It hasn't had any activity in years, but it served as a great example to get others going.
If you like this simple approach you could check out Adam Weigert's PowerShell for FIM 2010 (see my review).
I recommend IS4U-FIM-PowerShell (see my review), this is what I use. But I also recommend Lithnext resourcemanagement-powershell (see my review).
If you like this simple approach you could check out Adam Weigert's PowerShell for FIM 2010 (see my review).
I recommend IS4U-FIM-PowerShell (see my review), this is what I use. But I also recommend Lithnext resourcemanagement-powershell (see my review).
Open Source: Review of IS4U-FIM-PowerShell
Wim Beck's IS4U-FIM-PowerShell is a great example of open source, in that he has built on top of the FIM PowerShell Module (see my review). This is what Open Source is about, building upon each other's contributions to make great stuff!
When I looked at it in Dec 2016 I almost dismissed it since it lacked a wiki, but since then Wim has added a lot of pages. They still lack examples, I plan on pitching in to help out with that by adding some examples to my fork and then asking Wim to pull it in.
Some of the commandlets don't do a good job of robust validation of parameters. Another area that could use some community involvement.
For me the approach of having commandlets focused around different object types allows for a natural and better validation of the data you need to create, update and delete objects in the FIM/MIM service.
One great example of building on things is the New-ObjectTypeConfiguration commandlet which (creates object type in the schema, the attributes, the bindings, an MPR for permissions, a search scope, a navbar element, and updates the sync filter). Awesome!
I also love the RCDC commandlets. Test-RCDCConfiguration just does a simple test against the XSD which you can setup Visual Studio to do for you, but this allows you to test it programatically after make programatic changes to an RCDC object before you upload it. I did feel the need to extend this and added a function to backup the RCDC and another to backup all of the RCDC's. I will add those to my fork when I get the chance.
I use this module and it saves me a lot of time. I am glad to see Wim continuing to work on it, smoothing out the rough edges.
I can see how some might prefer the config file approach of Ryan Newington's Lithnextresourcemanagement-powershell (see my review), which I also recommend.
When I looked at it in Dec 2016 I almost dismissed it since it lacked a wiki, but since then Wim has added a lot of pages. They still lack examples, I plan on pitching in to help out with that by adding some examples to my fork and then asking Wim to pull it in.
Some of the commandlets don't do a good job of robust validation of parameters. Another area that could use some community involvement.
For me the approach of having commandlets focused around different object types allows for a natural and better validation of the data you need to create, update and delete objects in the FIM/MIM service.
One great example of building on things is the New-ObjectTypeConfiguration commandlet which (creates object type in the schema, the attributes, the bindings, an MPR for permissions, a search scope, a navbar element, and updates the sync filter). Awesome!
I also love the RCDC commandlets. Test-RCDCConfiguration just does a simple test against the XSD which you can setup Visual Studio to do for you, but this allows you to test it programatically after make programatic changes to an RCDC object before you upload it. I did feel the need to extend this and added a function to backup the RCDC and another to backup all of the RCDC's. I will add those to my fork when I get the chance.
I use this module and it saves me a lot of time. I am glad to see Wim continuing to work on it, smoothing out the rough edges.
I can see how some might prefer the config file approach of Ryan Newington's Lithnextresourcemanagement-powershell (see my review), which I also recommend.
Open Source: Review of Lithnet
Ryan Newington's Lithnet consists of several items:
I will only review the items I know
Managing Sync
miis-powershell is amazing it can almost everything you can do through the UI. For example, Clear-FullSyncWarning and it has a great wiki. Gotta have it!
Managing Service
I know many people love Ryan's approach with Lithnextresourcemanagement-powershell as it enables you to interact with the FIM/MIM Service in great ways. My big downside is that you just about have to learn a new language, the Config Management XML to use this most effectively. But when you do you can have every piece of FIM/MIM Service under source code control. Ike Ugochuku (recent MVP -- congrats!) has a nice video intro
So while I use Wim Beck's IS4U-FIM-PowerShell (Check out my review of IS4U-FIM-PowerShell) I can wholeheartedly concur with other's recommendations that this is worthwhile!
Simplifying the Service
The Resourcemanagement-WebService is not something I have used but as one of the first beta users of the SOAP/WCF endpoint back in ILM 2 Beta 2 days I can really appreciate the notion of a simplified, Restful interface that returns JSON instead of bloated XML. Good work!
The other pieces will have to wait for another time.
- miis-powershell
- resourcemanagement-powershell
- resourcemanagement-webservice
- googleapps-managementagent
- acma
- "Codeless business rules engine for FIM/MIM"
- umare
- "Codeless data transform engine for FIM/MIM"
I will only review the items I know
Managing Sync
miis-powershell is amazing it can almost everything you can do through the UI. For example, Clear-FullSyncWarning and it has a great wiki. Gotta have it!
It wraps WMI calls,
existing PowerShell modules, executables and sync client UI to interact with
FIM/MIM Sync.
My WishList
Turn on and off Sync
Rule Provisioning
Export Sync Server
Config
Managing Service
I know many people love Ryan's approach with Lithnextresourcemanagement-powershell as it enables you to interact with the FIM/MIM Service in great ways. My big downside is that you just about have to learn a new language, the Config Management XML to use this most effectively. But when you do you can have every piece of FIM/MIM Service under source code control. Ike Ugochuku (recent MVP -- congrats!) has a nice video intro
So while I use Wim Beck's IS4U-FIM-PowerShell (Check out my review of IS4U-FIM-PowerShell) I can wholeheartedly concur with other's recommendations that this is worthwhile!
Simplifying the Service
The Resourcemanagement-WebService is not something I have used but as one of the first beta users of the SOAP/WCF endpoint back in ILM 2 Beta 2 days I can really appreciate the notion of a simplified, Restful interface that returns JSON instead of bloated XML. Good work!
The other pieces will have to wait for another time.
Open Source: Review of PowerShell for FIM 2010
PowerShell for FIM 2010 by Adam Weigert consists of three parts but I further break the last into two:
Management Agent(MA) and MetaVerse (MV) Extensions
The work done to enable you to write PowerShell scripts to be MA and MV extensions is crazy brilliant. However, I suspect (I haven't tested) that large installations should shy away from this as compiled C# and VB.NET code tends to run orders of magnitude faster than PowerShell scripts. Perhaps someone else knows a way to make it more comparable in performance. I can see some smaller shops taking advantage of this as they don't need to worry about performance in the Sync Engine
Workflow Activity
The workflow activity (see my review of a bunch of open source Workflow activities) was good in its time but like most has been surpassed by the excellent MIMWAL.
Managing Sync
Similar to the FIM PowerShell Module you can Get an MA's status, start it, and get the run history. It does go beyond that by allowing you to Clear the RunHistory, and Stop an MA. However all of these features are covered in Ryan Newington's Lithnet-Miis-PowerShell (see my review on LithNet). This library is good but I recommend using the FIM PowerShell Module and Lithnet-Miis-PowerShell
Managing Service
- Management Agent(MA) and MetaVerse (MV) Extensions that let you run PowerShell scripts as your extensions
- A Workflow Activity
- A PowerShell module
- Managing Sync
- Managing Service
Management Agent(MA) and MetaVerse (MV) Extensions
The work done to enable you to write PowerShell scripts to be MA and MV extensions is crazy brilliant. However, I suspect (I haven't tested) that large installations should shy away from this as compiled C# and VB.NET code tends to run orders of magnitude faster than PowerShell scripts. Perhaps someone else knows a way to make it more comparable in performance. I can see some smaller shops taking advantage of this as they don't need to worry about performance in the Sync Engine
Workflow Activity
The workflow activity (see my review of a bunch of open source Workflow activities) was good in its time but like most has been surpassed by the excellent MIMWAL.
Managing Sync
Similar to the FIM PowerShell Module you can Get an MA's status, start it, and get the run history. It does go beyond that by allowing you to Clear the RunHistory, and Stop an MA. However all of these features are covered in Ryan Newington's Lithnet-Miis-PowerShell (see my review on LithNet). This library is good but I recommend using the FIM PowerShell Module and Lithnet-Miis-PowerShell
Managing Service
This library has a nice
simple model for creating, updating and deleting FIM/MIM resources. It is easier to use than FIM 2010 PowerShell Cmdlets. However, the simple model doesn't add lots of intelligence to help you with creating and managing the various resource types.
This may indeed be the approach you want.
I prefer IS4U-FIM-PowerShell (Check out my review of IS4U-FIM-PowerShell).
I can see how others would prefer Lithnext resourcemanagement-powershell (see my review).
I prefer IS4U-FIM-PowerShell (Check out my review of IS4U-FIM-PowerShell).
I can see how others would prefer Lithnext resourcemanagement-powershell (see my review).
Here is an incomplete example from my notes:
New-FIMResource
-ObjectType 'ManagementPolicyRule' -Set @{
DisplayName = 'Users Can Edit Preferred Names with Approval';
DisplayName = 'Users Can Edit Preferred Names with Approval';
Description ='Users can edit preferred names with
their managers approval which are then used to calculate their new
displayname';
PrincipalSetID = $Principalset; GrantRight= $True;
ManagementPolicyRuleType= ''; AuthwfID= $AuthWFID; ActionWfID $ActionWfID;
Disabled $false;
} -Add @{
ActionParameter= @('PreferredLastName', 'PreferredFirstName')
; ActionType = @('','')} | Set-FIMResource
Open Source: Review of FIM PowerShell Module
The FIM PowerShell Module (started by Craig Martin and now updated most frequently by Brian Desmond) is a great set of commandlets that help you to automate
Interactions with FIM Service and FIM Sync Service.
Managing Sync
This library is great for automating tests. This library and Ryan Newington's Lithnet-Miis-PowerShell (see my review on LithNet) are very complimentary. You can retrieve CS Objects, Run History, start an MA.
I found that the most interesting Sync related Cmdlets are the
For documenation purposes the Get- AttributeFlow commandlets are amazing. I can't believe I ever implemented FIM or MIM without them. You can use them to generate a view of the end to end flow of attributes.
I felt cool when I got to apply some code from Joe Zamora and a couple fixes of my own to solve these issues:
Managing MIM Service
These PowerShell commandlets tend be very robust with lots of great error checking. They are great for creating objects in the FIM/MIM Service. They do lack commandlets for updating and deleting specific objects but that can still be handled with the New-FIMImportObject and New-FIMImportChange commandlets.
I also found that while many commandlets have a $uri parameter that should allow you to call the cmdlets and affect a remote installation some of the underlying commandlets don't implement this consistently and expect a local instance of the Service.
This library provides a great foundation upon which Wim Beck built IS4U-FIM-PowerShell (Check out my review of IS4U-FIM-PowerShell). I recommend that library (plus this one) or Ryan Newington's Lithnextresourcemanagement-powershell (see my review).
Managing Sync
This library is great for automating tests. This library and Ryan Newington's Lithnet-Miis-PowerShell (see my review on LithNet) are very complimentary. You can retrieve CS Objects, Run History, start an MA.
I found that the most interesting Sync related Cmdlets are the
- Assert-CSAttribute, which you use to do automated test checking and
- Create-ImportfileFromCSEntry which you can use to take a CSEntry and make a drop file as a way to fake connections to the connected system. So you can run an export and then confirming import
Other CmdLet's not covered by LithNet
- Get-FimRegistryKey
- Get-FimSyncPath
- Get-ImportAttributeFlow
- Get-ExportAttributeFlow
- Join-ImportToExportAttributeFlow
- Get-MetaverseSchema
For documenation purposes the Get- AttributeFlow commandlets are amazing. I can't believe I ever implemented FIM or MIM without them. You can use them to generate a view of the end to end flow of attributes.
I felt cool when I got to apply some code from Joe Zamora and a couple fixes of my own to solve these issues:
Brian Desmond was kind enough to perform the commits.
Managing MIM Service
These PowerShell commandlets tend be very robust with lots of great error checking. They are great for creating objects in the FIM/MIM Service. They do lack commandlets for updating and deleting specific objects but that can still be handled with the New-FIMImportObject and New-FIMImportChange commandlets.
I also found that while many commandlets have a $uri parameter that should allow you to call the cmdlets and affect a remote installation some of the underlying commandlets don't implement this consistently and expect a local instance of the Service.
This library provides a great foundation upon which Wim Beck built IS4U-FIM-PowerShell (Check out my review of IS4U-FIM-PowerShell). I recommend that library (plus this one) or Ryan Newington's Lithnextresourcemanagement-powershell (see my review).
Wednesday, March 29, 2017
Speaking at Cloud Identity Summit 2017
I am excited to announce that I will be speaking at the Cloud Identity Summit 2017 in Chicago in June.
I will discuss How Identity Management (Employee and Consumer) affects the bottom line.
I will discuss How Identity Management (Employee and Consumer) affects the bottom line.
Is MIM dead? Not yet!
From time to time I hear people wonder if MIM is dead.
Why do people ask?
Why do people ask?
- They don't feel like they have heard a good road map recently
- They aren't seeing the improvements they hoped for
- They aren't paying attention to the actions of the product group
Why do I say it isn't dead yet?
- While the Cloud Identity is the future, we are and will be in hybrid identity for a long time and MIM is Microsoft's key component to that.
- I look the product group investments -- while of course they continue to enhance the cloud based capabilities of Azure AD they also continue to fix and enhance MIM
- With MIM they added Privileged Account Management -- Aug 2015
- Hotfix in Dec 2015
- Hotfix April 2016
- Hotfix July 2016
- SP1 in Oct 2016 (but use the hotfix from Nov)
- The latest hotfix was just two days ago with not just fixes but several bonafide enhancements (4.4.1459.0):
- SQL Always On Support
- The ability to have custom objects with membership similar to Groups and Sets
- Enter a justification on Approval not just denials
- The ability to turn on and off logging for the MIM Service without having to restart
- Support for SCCM 2016 for Reporting
- Updated article to include CM
- Certificate Modern Manager
It is possible that BHOLD components of MIM are dying or at least of lesser import. Biggest evidence for this is Microsoft's partnership with SailPoint coupled with the fact that there are no BHOLD fixes in the latest hotfix.
Update: I have been reassured by the product group that BHOLD will continue to get development for fixes and new features.
Update: I have been reassured by the product group that BHOLD will continue to get development for fixes and new features.
Subscribe to:
Posts (Atom)