Microsoft Forefront Identity Manager 2010 review: Not for the SME

In Forefront Identity Manager 2010, Microsoft took smart card and certificate management and merged it with identity lifecycle tools to streamline administration and improve user security and compliance. FIM 2010 also empowers users through self-service tools to manage their own group memberships or reset their user password from the Windows logon page. FIM 2010 is based on Web standards for greater extensibility and will work with third-party certificate authorities.

To get a feeling for how FIM 2010 fits into a real-world situation, I tested it in a highly virtualised environment made up of Active Directory domain controllers, SharePoint 2007 servers, Exchange 2007 servers, and two FIM 2010 and ADFS 2.0 servers in two domains, for a total of 13 virtual clients and servers. I was able to create and execute FIM 2010 policies on one server and see the results across both domains. I found the SharePoint-based UI easy to use, and after a couple of false starts, I had little trouble with the policy engine. The workflow wizard did a good job of walking me through workflow generation even though I had never created a workflow before.

The previous release, Microsoft Identity Lifecycle Manager 2007, provided a platform for identity synchronisation, basic certificate and smart card management, and user provisioning. Forefront Identity Manager 2010 takes these base features and enhances them to reduce the time, effort, and cost of managing a user's account throughout its lifecycle.

One area that got a lot of attention in FIM 2010 is policy management. The administration UI is a SharePoint-based system that uses natural language queries and menu-driven controls to generate rules and policies for managing users. The rules can be applied automatically to other users and groups based on various criteria. For example, you can create a rule to automatically add a new user to a group, issue a one-time password for a smart card, and push the user's email address and telephone number to another user directory while flagging HR to issue a request for a new health insurance policy.

One of the most powerful policy management features is the inclusion of Windows Workflow Foundation (WF). With WF, IT can create a multistep policy to easily automate user management. Workflows can be simple or complex with multiple branches depending on need. During my tests, I was able to create workflows to send approve or disapprove notifications to a specific manager whenever a user account was added to a certain group. FIM 2010 can also import and reuse existing WF-based workflows so that IT doesn't have to re-create the workflow wheel and can speed up deployment.

Another very nice feature in FIM 2010 is that it will synchronize user information between heterogeneous systems. Forefront Identity Manager 2010 integrates with a wide range of systems, including Active Directory, Novell, Sun, IBM, Lotus Notes, Exchange, Oracle and SQL Server databases, SAP, and even flat file systems -- in most cases with no additional software agent installed on the target system. A synchronization service takes care of passing user information in and out of FIM 2010.

A good example of this would be the scenario in which a new user is added to the company. HR creates the new user in FIM 2010. The synchronisation service pushes the new user info into the enterprise's Active Directory, and following the workflow, once the manager gives approval, this same user information is then sent to the company's insurance provider (an external system, secured by ADFS) to add them to the health insurance plan.

Note that the synchronisation isn't merely a one-way street; when the insurance company creates a new account in their system and assigns the new employee an account ID, that information can be sent back into FIM on a subsequent synchronisation and stored in the employee's AD record or in FIM 2010 alone. Any update to the user record in any of these systems -- FIM 2010 or AD or the external insurance system -- is automatically updated in the others. With the multibranch capabilities of the policy engine, one change can create a cascade effect on other pertinent systems.

Forefront Identity Manager 2010's intuitive SharePoint-based Web interface (above) provides access to all aspects of user identity management. Among the many new identity management features is user self-service password resets (below), with definable lockout thresholds and challenge-and-response prompts.

FIM 2010: Automating rights management
Credential management has been greatly simplified for both IT and the end-user. Now all user credential management - including one-time password devices and third-party certificate authorities - can be done through a single console. FIM 2010 also provides a mechanism to allow end-users to reset their password from the Windows logon screen. Based on policy, the user can be presented with traditional question-and-answer prompts, or FIM 2010 can send a one-time password via text message, or any combination of these. This reduces the burden on IT and allows the end-user to continue working instead of waiting on a simple password reset.

A couple of nice enhancements to user management are built into FIM 2010. In addition to simply creating the user account, FIM 2010 can automatically provision resources, such as an email account or a one-time PIN for a smart card. This automation becomes especially important when the time comes to de-provision a user. By allowing the proper policies to automatically take the user out of the system, FIM 2010 helps maintain compliance and minimises the chance of leaving a user account active and failing a compliance audit.

Another nice feature is the ability for end-users to manage portions of their own user profile. For example, FIM 2010 can be set up to allow users to update telephone numbers, addresses, or other personal information without being able to change email address or logon name.

Along these same lines, users can manage their own distribution and user groups. This can be done through the FIM Web portal or, via integration with Office 2007 or Office 2010, right from inside Outlook. Group managers can approve or disapprove user requests via Outlook, making user group management even easier.


In a world where users are not always the exclusive management property of one domain, Forefront Identity Manager 2010 offers a way to bridge the gaps between systems. The bi-directional synchronisation between heterogeneous identity systems extends FIM 2010's reach beyond Microsoft-only networks, while the use of policy and workflows helps keep the compliance train on track. If you have to work with multiple domains or authentication systems, Forefront Identity Manager 2010 is definitely one tool to check out.