locked
MIM SSPR vs Azure SSPR RRS feed

  • Question

  • Hi,

    Got a few questions around MIM and Azure AD SSPR.

    So MIM has the following SSPR options:

    1. Question and Answer Gate
    2. OTP Email Gate
    3. OTP SMS Gate
    4. Azure MFA using OTP SMS gate (is this the same OTP SMS Gate as above in item 3?)
    5. Azure MFA using Phone Gate

    I also see that Azure AD has its own SSPR, so:

    1. Do the same options (as per 1-5 above) exist in Azure AD as in MIM?
    2. When should we use the Azure AD SSPR vs the MIM SSPR?

    Additionally, MIM can also 'unlock' an AD account during a Password Reset operation - can this be done with Azure AD SSPR?

    Lastly, MIM allows different Gates to be used for Extranet vs Intranet users - does Azure AD SSPR cater for this too?

    Actually - what are the differences between MIM SSPR and Azure AD SSPR?

    Thank you,

    SK




    • Edited by Shim Kwan Wednesday, January 20, 2016 2:42 AM
    Wednesday, January 20, 2016 2:27 AM

All replies

  • I'm surprised noone has responded to this as yet.

    I too was thinking the same. Our current sspr is done via FIM 2010 and rather than migrating to MIM (newer FIM) i have decided to move straight to AAD SSPR.

    To answer your question I think i really does depend on what your requirements are.

    for instance, We have a Hybrid exchange and we had used FIM initially to sync between O365 and the on-prem environment, as well as the SSPR. We did not use MFA.

    Since moving to AAD Connect to sync, it seems like a simpler option to use the features in our E5 license. SSPR from Azure seems to be all we need.

    Weighing out the pros and cons;

    pros;

    no additional licenses/products needed

    cons;

    users will not be able to reset their own passwords from the windows logon (CTRL+ALT+Del) screen.

    (not a major issue, as users can reset from their own smart devices, phone etc.)


     

    Friday, December 9, 2016 4:44 PM
  • The same unlock and password reset gates are available however there is not currently a Ctrl+Alt+Del screen plugin for Azure AD SSPR.

    In general I would aim to have customers use the AAD SSPR option if at all possible.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Friday, December 9, 2016 5:02 PM
  • Hi Brian,

    You mentioned that you would ain to have customers use the AAD SSPR option. Any perticular reason for this? While we know that from features perspective both options have similar features, are there any cons for going with MIM?

    If most of your applications are Azure based and if your servers are hosted azure then would you recommend AAD only as a solution?

    Sunday, January 15, 2017 9:13 PM
  • I wouldn't look at whether or not you have infrastructure in Azure IaaS as a deciding factor for whether or not to use AAD SSPR.

    The main cons with MIM that come to mind are a) it's complicated to setup and maintain b) there's a significant infrastructure dependency c) innovation is primarily happening in AAD these days


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Monday, January 16, 2017 3:35 PM