none
FIM 2010 R2 with AAD MA vs Azure AD Connect strategy. RRS feed

  • Question

  • Hi folks,

    We use FIM 2010 R2 extensively and I'm at the point where I'm looking at topologies for integrating Office 365/Azure AD.

    It's noted on the AAD MA download page that the MA is feature frozen with a recommendation to move to Azure AD Connect.

    The immediate problems I believe I can see with this is it means provisioning becomes a double hop (MA -> on-premise AD -> Azure AD) and as a follow-on, rule extensions can't be used.

    Are both of these intermediate conclusions correct and if so, how are people with established FIM/MIM footprints currently dealing with the double hop issue? I'm not keen on introducing this kind of disconnect into the topology if it's not completely necessary.

    I'm also not particularly keen on treating FIM like an old backup product where I have to trigger post-execution jobs if I can avoid it. It's much cleaner both from a programmatic, efficiency and documentation (and therefore support and business continuity) perspective to keep everything coming from the source of truth to FIM, and then from FIM to the dependant system.

    Cheers,
    Lain

    Thursday, January 5, 2017 8:30 AM

Answers

  • Lain-

    Provisioning to AAD with AAD Connect is the path forward as you've laid out. You should be able to do almost any transformation or filtering you need to do in AAD Connect without rules extensions with the new sync rules capability. There is a lot there if you need it.

    For licensing, today, PowerShell or calling the Graph API directly are your best options. I typically see customers retain this capability in FIM/MIM from an automation perspective.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Monday, January 9, 2017 5:56 PM
    Moderator

All replies

  • Yes, it does look like MS is not going to maintain two Azure AD sync products and FIM's AAD MA is being depreciated. I'm afraid there is not much you can do but start using AAD Connect for Azure AD sync.

    AAD Connect does have the good old FIM sync service under the hood, and supports rules/extensions. Of course, those extensions won't have access to MV data you have in FIM, so all the additional attributes that you need to make your extensions work will have to be dumped to on-prem AD.  


    Gleb.

    Thursday, January 5, 2017 10:11 AM
  • That's a bit of a letdown, but expected nevertheless.

    There's times where it makes sense to have two or more synchronous stages to a provisioning process but provisioning into O365 isn't one of them. If your source of truth has all the relevant criteria then we really should have an option to do the sequencing and provisioning (which would include the setting of plans and features on a per user basis - something which Azure AD Sync can't handle) ourselves.

    This has the feeling of being a by-product of two different teams working separately on solutions rather than Microsoft as a brand having a cohesive identity management product. If so, I hope this is reconciled at some point.

    While FIM is indeed under the hood of Azure AD Sync, it's not in a usable format as it's been stripped of any useful management agents and those that are there don't support rule extensions as such, and I'm guessing that were I to re-add the missing agents and replace the existing AD MA (assuming that's even viable) with the original from FIM, I'd only put myself in a completely unsupported position.

    I guess the only relevant part from my initial question is, how are you handling this scenario now? My guess is that you're having to bolt on PowerShell tasks to complete the setting of plans and features?

    Cheers,
    Lain

    Sunday, January 8, 2017 11:01 PM
  • Lain-

    Provisioning to AAD with AAD Connect is the path forward as you've laid out. You should be able to do almost any transformation or filtering you need to do in AAD Connect without rules extensions with the new sync rules capability. There is a lot there if you need it.

    For licensing, today, PowerShell or calling the Graph API directly are your best options. I typically see customers retain this capability in FIM/MIM from an automation perspective.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Monday, January 9, 2017 5:56 PM
    Moderator
  • Thanks, Brian. That at least enlightens me as to what people are doing.

    It bothers me greatly that once again two different product groups are diverging off on their own merry ways for the same concept (identity management).

    My feeling at this stage is that if FIM/MIM is not destined to be the holistic identity management product of the future then there will come a time to revisit NetIQ and the likes.

    Cheers,
    Lain

    Monday, January 9, 2017 10:38 PM