Presentation is loading. Please wait.

Presentation is loading. Please wait.

Follow OCG Learning Twitter Facebook LinkedIn

Published byJeffrey Rich Modified over 7 years ago

Similar presentations

Presentation on theme: "Follow OCG Learning Twitter Facebook LinkedIn"— Presentation transcript:

1 Follow OCG Learning Twitter Facebook LinkedIn
Get the latest offers, details of new courses, events, webinars, white papers, news and technical opinion you can trust. Facebook facebook.com/ oxfordcomputergroup linkedin.com/company/ ocg-learning and James Cowling - Identity Management Specialist LinkedIn

2 MIM Service Pack 1 Webinar James Cowling CTO 20th October 2016

3 Agenda Quick summary of MIM 2016 Features in MIM 2016 Service Pack 1
Future Additions to MIM 2016 SP1 Upcoming Events Please note: this session will be recorded

4 Microsoft Identity and Access
Microsoft Identity Manager 2016 Service and Portal (Workflows, Approvals, UI) Synchronization Service (Data flows and transformations, password sync) Certificate Management (Cert Enrolment, Renewal, Expiry workflows, UI) Reporting (Data Warehousing with System Center Service Manager) Roles Engine (bHold, Role Model Management and Role Assignment) Privileged Access Management (Protection for Admin Credentials) Azure Active Directory (AAD) Cloud directory with many IAM functions Sync with on-prem AD using AADSync Hybrid Identity implementations involve both major components

5 Service Pack 1 Features JIT groups for Priv domain
PAM PowerShell Deployment Customer Reported Bug Fixes PAM Single forest deployment Cross Browser Support requests and approvals with Exchange Online Hardened Security Updated Platform Support

6 Bug Fixes Rollup of all fixes since RTM SP1 is version 4.4.1237.0
(KB ) – incl. Localization and ECMA fixes (KB ) – incl. PAM Fixes (KB ) – incl. CM updates, Perf Counters fix SP1 is version Fixes a couple of additional PAM issues Adds Image Format validation for images uploaded to the portal

7 Updated Platform Support
MIM Portals now run under “all major” browsers Internet Explorer Edge Chrome Safari Firefox (according to Blog, not specifically in documentation) Platform components now support modern versions Windows Server 2016 (not CM or bHold) SQL Server 2016 (not CM or bHold) SharePoint 2016 Windows 10 client See design/microsoft-identity-manager-2016-supported-platforms

8 PAM Overview Production Domain (“CORP”) assumed compromised
Bastion PRIV Production Domain (“CORP”) assumed compromised Separate Admin Domain (“PRIV”) Just-In-Time Admin Candidates and Escalation PRIV Credentials not present in CORP Harder to steal if not present Admin performed using SIDHistory, One-Way Trust into CORP User PRIV.User X Member of Security Group PRIV.Security Group MIM PAM PAM Person Candidate of PAM Role Privilege of PAM Privilege

9 PAM PowerShell Deployment Scripts
Available from MS Download Center Good documentation – a required read! Manual pre-configuration required Some manual intervention required us/download/details.aspx?id=5394 1

10 PAM Single-Domain Deployment
AKA “PRIVOnly” deployment PAM Users and Groups are not required to have a corresponding CORP object Allows PAM Users and Groups to reference objects which are only in the PRIV domain Supports the protection of PRIV administrator objects Just in time admin Implemented using the -PRIVOnly=true switch on all relevant PowerShell cmdLets Although possible, CORP-only deployment is not regarded as secure, therefore not best practice

11 Hardened Security Kerberos TGT lifetimes for PAM users now align with TTL of privilege escalation and group membership Requires Forest Functional Level 2016 If multiple time-bound memberships, ticket uses lowest TTL PAM uses Expiring Links functionality of ADDS 2016 Requires PAM Windows Optional Feature PAM Implementation uses Authentication Policy Silos Allows limitations on Kerberos Ticket Lifetimes without having to make domain-wide changes PAM can manage PRIV admins (as described already)

12 Exchange Online for Service Mailbox
The MIM Service can now use an Exchange Online mailbox for approvals and notifications On-prem Exchange still available with same functionality Generic SMTP still available for notifications Access is via Office365 web services

13 Future Additions There will be a hotfix/in-place upgrade from MIM 2016 to SP1 Currently only full install is available, requires uninstall/reinstall An issue in Password Change Notification Service has been reported Rarely, in some environments, PCNS fails to start with root certificate validation error A fix will be forthcoming when the issue is nailed down Until then, test! If in doubt, stay with MIM 2016 RTM PCNS

14 OCG Learning - courses Learn MIM PAM training ocglearning.com/courses
Foundation – Advanced – Expert Live classroom courses or online, self-paced PAM training Next one-day course: 7 November – join the live class via the internet from anywhere in the world ocglearning.com/courses We can train your team and offer ongoing support

15 Thank you! James Cowling CTO 20th October 2016

Download ppt "Follow OCG Learning Twitter Facebook LinkedIn"

Similar presentations

Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
 This session details common scenarios for deploying Office 365 services. Office 365 provides a breadth of capability, but often there is a key scenario.

 This session details common scenarios for deploying Office 365 services. Office 365 provides a breadth of capability, but often there is a key scenario.
Configuring SharePoint 2013 and Office 365 Hybrid – Part 1

Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
TechEd 2013 4/20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

TechEd /20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Service Overview & Offering Features & Requirements Office 365 Administration | Portals & PowerShell Partner Opportunity.

Service Overview & Offering Features & Requirements Office 365 Administration | Portals & PowerShell Partner Opportunity.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
©2012 Microsoft Corporation. All rights reserved. Content based on SharePoint 15 Technical Preview and published July 2012.

©2012 Microsoft Corporation. All rights reserved. Content based on SharePoint 15 Technical Preview and published July 2012.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
5 | Microsoft Confidential 6 | Microsoft Confidential.

5 | Microsoft Confidential 6 | Microsoft Confidential.
Single Sign-On with Microsoft Azure

Single Sign-On with Microsoft Azure
SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.

SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.
OFC290 Information Rights Management in Microsoft Office 2003 Lauren Antonoff Group Program Manager.

OFC290 Information Rights Management in Microsoft Office 2003 Lauren Antonoff Group Program Manager.
123456789101112…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.

…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
Deploy Windows Mobile 5 On Exchange 2003 SP2 Mark Mulvany MCT,MCSE,MCSE+I,CNA Microsoft Small Business Specialist SMS&P Breadth Partner Training Specialist.

Deploy Windows Mobile 5 On Exchange 2003 SP2 Mark Mulvany MCT,MCSE,MCSE+I,CNA Microsoft Small Business Specialist SMS&P Breadth Partner Training Specialist.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Offer highly configurable and scalable services Maintain an evergreen service Provide a platform built on security, privacy, and trust.

Offer highly configurable and scalable services Maintain an evergreen service Provide a platform built on security, privacy, and trust.
Module 1Introduction Module 2Office 365 for IT Pros Module 3Getting started with Office 365 Module 4Deploying Office 365 Module 5Office 365 Service.

Module 1Introduction Module 2Office 365 for IT Pros Module 3Getting started with Office 365 Module 4Deploying Office 365 Module 5Office 365 Service.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Office 365 Office 365 Overview & InfrastructureAdministering Lync Online.

Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Office 365 Office 365 Overview & InfrastructureAdministering Lync Online.

Similar presentations

Ads by Google