TechEd - FIM Best Practices

This was a great session from Carol WapshereMVP (@miss_miis) about the essential ingredients of a successful identity management project using FIM – Microsoft ForeFront Identity Manager.

The current latest and greatest is FIM 2010 R2 and it has the following technical components:

  • Synchronisation Service – connects matched objects in directories and applications
  • Password Synchronisation – updates passwords of joined use accounts following AD password changed.
  • Portal and Service (added with 2010) – SharePoint based portal for user administration, self-service and workflow.
  • Self-Service Password reset – greatly improved with 2010 R2.
  • Reporting – new to 2010 R2. Audit and reporting using System Center Data Warehouse.
  • Role Management – new component, acquisition of a third party component. BHOLD and RBAC System Role modelling, role assignment, compliance.
  • Certificate Manager – Request and renew certificates

A critical point about FIM to understand is that it is a state based system.

  • What is the current state of the object
  • What is the future state of the object
  • It doesn’t care about how or who.

And the essential ingredients for a successful FIM project are suprisingly familiar.


  • Who’s driving – why now?
  • Often IT led efficiency initiatives don’t go anywhere unless there is a compelling reason.

Understand the environment

  • Get account policies in writing
  • Talk to the people who really know
  • Data analysis. There can be a lot of B/A work required to ensure success.

Get the requirements

  • Essential v desirable
  • Focus on outcomes, not current processes
  • Get specifics
  • Don’t try to do everything at once.
  • Typical project scope management issues are typical in identity management projects.

FIM is an extensible product, with the following components the extension points:

  • The Sync service
  • Custom workflow
  • Web services

Like most COTS products, the same rules and common sense apply:

  • Use out of the box before extending wherever possible
  • Use only support methods – see MSDN documentation for guidance.
**Get a full production data set for Dev and Test**
  • Rules must be able to deal with real, not idealised data
  • Joins and data cleaning analysis
  • Identify exceptions
  • Understand scale
When FIM is running in Prod, it will impact real accounts – so it is worth the effort to get Prod data into Dev and encounter these issues early.

Expect teething problems

  • Production data and practices may bring surprises
  • People suddenly remember vital requirements
  • Confusing about what can be changed where

On-going Administration

  • It’s not a “set and forget” system
  • Data errors and duplicates will happen
  • Business rules will change

Key takeaway points:

  • Understand the environment
  • Develop for automation
  • Be realistic

As I said earlier, these principles apply to most IT products but good to get them reinforced.