MIM 2016 PAM MFA and SharePoint 2016 Server RRS feed

  • Question

  • Hello Experts,

    I am working on PAM deployment and would appreciate if you could assist me in solving some of my queries:

    1) MIM/PAM SharePoint 2016 High Availability

    We are planning to use SharePoint 2016 servers for MIM 2016 deployment for PAM to allow users to request access through GUI. With SharePoint 2013 foundation (free), it was simple to just install SharePoint component on each server. SharePoint 2013 mainstream support is ended this year so management does not want to go with SharePoint 2013. 

    Could anyone of you please advise if we should go with SharePoint Farm deployment with 2 FE and 1 clustered SQL Instance as the backend for MIM Portal or should be installed SharePoint 2016 standalone on each MIM portal server? 

    2) PAM MFA (Bastion Forest)

    We Install PAM in bastion forest and it is recommended to integrate MFA with PAM to provide an extra layer of security. Do we need to sync bastion forest users with the Azure portal using AD Sync to assign them the Premium license for PAM MFA Authentication or would it work without Syncing their bastion forest accounts with Azure?


    Monday, October 29, 2018 1:07 AM


  • Hello Everyone,

    I believe I got the answer to my queries. Please correct me if anyone of you finds anything wrong. I am sharing this so it could help others. 

    1) MIM/PAM SharePoint 2016 High Availability

    We can use SharePoint 2016 farm and can go with SharePoint 2016 servers installed on each MIM Service/Portal server. Using SharePoint farm increase the complexity in the environment and downtime is required when patching/updating the MIM servers. SharePoint 2016 is not free and we can install Standalone on each MIM Portal/Service server which is easy to maintain but it requires an extra licensing cost.

    The link below helped me in understanding the impact. 

    when we patch MIM Service it will update the database and the MIM Service. At that instant only updated MIM Service instances should talk to the database (they might work, but no guarantees), and only updated Portals should talk to the update MIM Service Instance. So I think we still end up with downtime, the key is to minimize it. The Zero downtime patching would certainly reduce it when you patch the actual SharePoint binaries. But we could accomplish the same thing with two single server farms load balanced through NLB.

    2) PAM MFA (Bastion Forest)

    MFA supports 2 usage model, Per user and per Authentication. 

    For PAM deployments, it is best to use per Authentication model for MFA Provider in Azure AD. It allows you to use MFA with PAM without syncing users with the Azure AD and will keep security maintained. 


    • Marked as answer by rndmaster Wednesday, October 31, 2018 1:01 AM
    Wednesday, October 31, 2018 1:00 AM