Manage Your

Organization's Identity
with Microsoft
Forefront Identity
Manager 2010
Posted By: Alan Le Marquand
Publish Date: 3/3/2010

All organizations need to manage

identities, credentials, and
resources. Some lucky
organizations only have to deal
with one directory, but most have
to deal with multiple directory trees
and application-specific identity
sources. The IT departments in
those organizations are expected to
deliver this management
efficiently, cost-effectively, and
securely. When this management
goes bad, IT departments can lose
the ability to be agile, and custom
solutions created to manage
identities can inhibit their ability to
adapt to business change
efficiently. These solutions may
require manual
intervention, inevitably resulting
in higher costs.

What organizations need is a

comprehensive identity and access
management solution that
can integrate certificate and smart
card management with the
traditional identity management
lifecycle, while it brings a level of
self-service management to users.
Microsoft Forefront Identity
Manager 2010 (FIM) is a component
of Microsoft’s Identity & Access
Management solution that brings
powerful capabilities,
administrative tools, and enhanced
automation to organizations to help
them efficiently manage identities.
FIM is not the first identity
management product from
Microsoft. FIM has evolved from
Microsoft Identity Lifecycle
Manager (ILM) 2007, which was
previously Microsoft Identity
Integration Server (MIIS) 2003,
which originated from Microsoft
Metadirectory Services (MMS).
These products provide two, stable
engines for delivering the core
services of FIM. These engines
deliver core provisioning and
synchronization services between
different systems, as well as
certificate and smart card
management. FIM then builds on
previous releases by wrapping
these core services in a rich
management environment,
including workflows and self-service
capabilities for end users, making it
easier for IT Administrators to
manage the identity management
lifecycle, and enabling them to
delegate some tasks to end users.

How does FIM make identity

management easier? FIM 2010
provides the ability to manage
multiple credentials in an
integrated manner. IT
Administrators have centralized
management tools where they can
view and define policies, such as
defining smart card templates and
processes for resetting PINs.

Today, IT Administrators often

spend time adding people to
groups, removing people from
groups (if they are ever told access
is no longer needed ), creating and
managing accounts, or at least
trying to. When a new hire arrives
at a company it can turn into a
departmental sweepstakes -
“Guess the date when Joe will have
access to our systems?” When you
think about your organization, think
of all the accounts you have. You
have an network account, then you
almost certainly have an email
account, which is also almost
certainly a member of a number of
distribution groups, an account in
the finance system so you get paid,
and an account in a customer
relationship system. Then there are
the file shares and web sites
which you have access to
internally. Finally, like me, you may
have a building access card that
may be a smart card with
certificates on it. All of these have
to be created, authorized, and
issued. This is what FIM does, or
moreover, this is what FIM enables
the IT Administrators to do more
efficiently.

When new hire “Joe” starts, he may

well go through some new
employee orientation. At that point,
the HR representative could add or
approve “Joe” in their system. Then
“Joe” officially exists. In the
background, FIM has seen this
change because of the policies
defined by the Administrators. FIM
now starts the enrollment process,
a network access account is
created, a corresponding email
account is created, requests for
certificates are generated, and
requests are sent to the
appropriate people to authorize the
creation of accounts in the CRM
system or the finance system. At
every stage, the policy and
workflow dictates who gets notified
to authorize the change. So when
“Joe” gets to the security office to
have his picture taken and added
to his access card, the card can be
loaded with the right certificates
and “Joe” can walk into his new
department all ready to go.

This isn’t a one way

process. Should “Joe” leave, when
his final salary is paid, FIM can
reverse all these changes,
certificates can be revoked and
accounts disabled, etc. FIM also
provides the IT Administrators the
ability to delegate certain
information management tasks to
users. During “Joe’s” employment,
he can self-manage some of his
own identity information such as
his mobile phone number, as well
as reset his password or smart card
PIN. Tasks like password or PIN
reset, in estimates, can cost around
$35 per request, which can quickly
accumulate over the course of a
year.
FIM allows IT Administrators to
spend more time managing their
systems' security, and less time
managing people’s identity. In the
next part we will look at the self-
service capabilities in FIM, and how
access management of resources
can be delegated to end users.

Related Resources
Videos / Webcasts
• TechNet Webcast: Forefront
Identity Manager 2010:
Technical Overview and
Deployment
• TechNet Webcast: Forefront
Identity Manager 2010:
Deploying FIM
• TechNet Webcast: Identity
and Access Management
Solution
• TechNet Edge Video:
Forefront Identity Manager-
Reducing cost of group
management
• TechNet Edge Video: Identity
and Access Management
Solution
• Channel 9 Video: Alex
Weinert on Forefront Identity
 Manager 2010
Datasheets and downloads

• Identity and Access

Management Datasheet
• Trial Download FIM 2010

Tags: Alan Le
Marquand, Forefront, Forefront
Identity Manager, FIM, Identity
Management, English,Articles, Tech
Net Edge, Articles

Comments (1)
Leave a Comment

lilia gephardt: Tuesday, June 29,

2010 9:50 PM
Great!
Sign in to Leave a Comment
Report Abuse
© 2010 Microsoft Corporation. All rights reserve