Identity Management with Forefront Identity Manager 2010

Microsoft’s Forefront Identity Manager 2010, or FIM 2010, is an identity management solution which can handle every aspect of managing identities. Account provisioning, group memberships, and self-service password resets are all part of what Forefront Identity Manager 2010 can provide to an organization.

This article provides an overview of the topic of Identity Management.  It will define some of the terminology used and describe some of the ways that Microsoft Forefront Identity Manager 2010 works to improve Identity Management.

What is Identity Management?

Identity management helps organizations get control of some critical aspects of their IT infrastructure:  primarily user accounts.  There are two important parts of identity management.  First, business decisions are made that define the rules of who gets an account, and when.  Second, it’s the implementation of those rules.

Identity management is more than just managing accounts and passwords. It’s the total management of identities across their entire lifecycle.  What happens when a new user enters the organization?  What happens when an existing user changes roles within the organization?  Finally, what happens when a user leaves an organization?  Those are the questions that identity management addresses.

How does Forefront Identity Manager 2010 help?

Microsoft Forefront Identity Manager 2010 helps to implement the management rules that an organization creates.  While it does not really help to define the rules that an organization should create, it does provide the tools to make a reality the rules that the organization does define.

Forefront Identity Manager 2010 is more than Active Directory management.

Active Directory is a large part of most organizations identities.  Many people, when hearing about Identity Management, think that it’s mainly Active Directory automation.  Many consider a user’s identity and their Active Directory user accounts to be one and the same.

But Forefront Identity Manager 2010 manages users’ identities across multiple platforms.  SQL Servers can maintain a list of users able to access a database.  Using FIM 2010, SQL Server user accounts are analyzed, and compared to other sources of user data to either merge data, or even provision new accounts.

Forefront Identity Manager 2010 imports users from multiple data sources, such as SQL Servers, Oracle databases, Novell, Lotus Notes, Exchange, and Active Directory.  Most remarkably, the user account data source does not even have to be an application at all.  Forefront Identity Manager 2010 can even synchronize user accounts between external data sources such as a text file.

An example of what Forefront Identity Manager 2010 does.

When Sally is hired, HR enters them into an application with an Oracle database.  FIM 2010 notices the new record in the database table, and uses the information to create an identity in the FIM database.

Once Sally’s account has been projected into the FIM database, a user account for Sally is created in Active Directory.  Her new account could either be setup with a standard password or with a unique password sent to her supervisor.  Her AD user account is added as a member to all of the groups needed for her role.

Email accounts are created for the new user, and if they are an IT worker, they also have an Active Directory account created in the test domain.

On the new users first day, their user accounts are ready and waiting for them, and the only account that had to be manually entered was the entry in the HR system.

Later, Sally updates her phone number.  While the HR system does keep phone number data for in their application, the HR staff does not normally change this information.  However, the helpdesk changes phone numbers in Active Directory to reflect changes made.  When Forefront Identity Manager detects a change to Sally’s Active Directory account, it propagates the changes from AD to the HR system.

And if Sally forgets her password, she doesn’t need to contact the helpdesk and wait for IT staff to help her.  Instead, she can perform a self-service password reset using security questions she had previously setup for her account.

What are some of the key benefits of using Forefront Identity Manager 2010?

So it sounds cool, right?  Creating accounts; merging and updating identity information across disparate systems; and automating it all.  Here are some of the key benefits to implementing Forefront Identity Manager 2010 in an organization.

It offloads basic tasks from the hands of the IT staff to the end users.

Password resets are one of the most frequently requested services from first line technical support.  Putting this service in the hands of the end users instead of relying on the helpdesk staff to perform it saves time for the end users, and creates time to dedicate to new services for the existing IT staff.

It reduces costs and the inherent errors with manual updates.

“To err is human.  To really foul things up requires a computer”

Fingers make mistakes.  People make poor decisions that update the information on the wrong account.  New helpdesk interns delete accounts accidentally.  Reducing those errors also reduces the frustration that goes along with those mistakes, and the time that it takes to remedy them.

It ensures compliance and increases security.

Since Forefront Identity Manager 2010 performs management over credentials, resources, and identities across all of the organizations systems, it can maintain standards across all of those systems.

With increased management comes increased compliance.  Since all of the systems are under management, their compliance can be programmatically applied to all systems and automated.

The automation provides increased security by reducing the number of people required to have permissions that allow them to make changes to their identity sources.


Identity Management may be a topic that is relatively new to some in IT, but Identity Management provides value to all in the organization, from management and IT staff to the individual end users.

Identity Management is both the creation of business processes that define rules about who gets an identity and when, and the mapping of those rules to the implementation of them.

Microsoft’s Forefront Identity Manager 2010 is a powerful tool that acts as a connector between multiple identity sources across an organization, and puts the power in the hands of the business owners to reduce costs and errors, and increases user satisfaction, compliance and security.