Identity Stack #6 - Tick Tock: Time is Running Out for Microsoft Identity Manager
It’s coming quicker than you think. It’s been 4 years since Microsoft announced that they were ending support for Microsoft Identity Manager, and while you technically have until 2029 to make the transition, your technical debt is already starting to pile up. Many organizations have already made the transition, but others, for example, businesses with complex architecture and requirements, face a fairly daunting task.
It’s human nature. In the real world, we don’t have the time or the bandwidth to worry about problems coming up in 4 years when we have fires to put out today, making it easy to say, “well, maybe we’ll get to it next year.” This is no longer tomorrow’s problem, it’s today’s problem and you have some decisions to make. To avoid disruptions that could leave you vulnerable, you’ll need to act fast to migrate from MIM to a modern solution.
We sat down with Arthur Wojcicki, Director at KeyData Cyber, to talk about it.
Q: For those who still rely on Microsoft Identity Manager, could you talk about why it’s important to find an alternative and by when?
A: The rise of a cloud first approach has accelerated many tools and software, those in the IGA/IAM space included. The transition to a cloud-only model is happening quickly, to better meet the requirements of customers, provide future scalability, and most importantly, keep operational costs predictable. The cloud first model is the present and future, making it the biggest driving force behind Microsoft ending support for Microsoft Identity Manager (MIM).
Support for MIM had initially been targeted for an early 2026 end date, however, Microsoft has extended its support until early 2029 due primarily to the large outcry of many of its customer organizations, that rely on MIM heavily for both hybrid and on-premises identity management. Many of these customers are either without a proper transition plan or are not ready for a cloud-based identity solution due to the need to continue to handle critical legacy systems that are not easy to account for or change.
Many regulated industries, specifically government, healthcare and finance, are finding it hard to transition as they are often large, complex, and operate in hybrid environments that have been heavily customized. A lift and shift approach we frequently hear about does not apply to these industries. A proper strategy and plan are a must.
Q: Bandwidth is a real challenge for many IT security teams, making it hard to allocate resources for what seems like a future problem. Microsoft has given us until 2029 to find an alternative, so what are the advantages of migrating away from MIM now?
A: The biggest advantage is reducing overhead, or more importantly, making better use of your organization’s human IT capital. Although security patches will continue until 2029, actual enhancements to the MIM platform are no more. You don’t want to waste valuable resource hours to upkeep and, in some cases, customize a solution that is and will no longer be future proof.
You want your IT resources enabled to help drive improved performance and scalability with newer, more modern solutions, rather than focusing on custom code and PowerShell scripts just to maintain and keep the lights on.
There are many other advantages, but another critical one that comes to mind is compliance. Yes, you hear about improved security, and that is a big one too, but compliance is just as much if not more of an advantage.
Most cloud IGA tools offer robust compliance features out of the box, and they adapt as regulations change, so you don’t have to spend human capital to do so. Built-in access certifications, policy violation detection, and segregation of duty enforcement are now the standard. Better support for audit logging, compliance evidence generation, and compliance with standards such as GDPR/SOX/HIPAA are done for you.
Q: Even knowing these benefits, some organizations will still want to wait, but procrastination can be expensive in more ways than one. What are the disadvantages of waiting to do it “next year”?
A: Simply put, it will be more expensive. Not just in dollars, but technical debt and resources, not to mention your security risk continues to increase with each passing day. Not making use of modern IGA features sooner as opposed to maintaining an existing system will predictably cost more a year from now. Technical debt will accumulate, making the inevitable migration more complex, painful, and expensive. Migrating from MIM to a new IGA tool requires resources with MIM expertise, those who know the tool, the specific business logic and rules, who can help translate into the modern IGA platform. These resources are going to be more costly as MIM expertise becomes more obscure.
The security risk is a big one, aside from increased compliance or failed audit risk, scrambling to then remediate as necessary, the biggest security risk is to the business itself. Gone are the days of “if” an organization will be hacked or have a data leak, especially when a dated tool continues to linger, it is a matter of “when” and how bad. You don’t want your IGA tool, and specifically your IAM capabilities, to be the operational bottleneck to the business. The longer you wait, the more it will be.
Q: It’s hard to get leadership excited about an IAM transformation if you make it all about mitigating some far away threat. Today’s identity solutions undergo frequent upgrades and enhancements to ensure that you are always receiving the best protection available. What do these modern solutions offer that MIM does not?
A: The move of many identity solutions to a cloud first approach allows for many things that MIM simply cannot. Three big ones come to mind:
- Scalability – Whether you have 100 identities now and need to scale to 10,000 in a week from now, a modern identity solution can auto-scale as needed to support business growth. With MIM, you often need more infrastructure to scale and detailed planning.
- No infrastructure maintenance – With a cloud-based solution there’s no more physical infrastructure to maintain and your IT resources don’t have to worry about patching servers and maintaining databases.
- Consistently strong security posture – Modern solutions have out of the box features such as MFA, JIT provisioning and the ability for real-time risk-based access decisions as granular as you want and upkeeps security posture 24/7.
Q: As the saying goes, “The best way to eat an elephant is one bite at a time.” Migrating from MIM to Saviynt is a significant undertaking that requires careful planning and skillful execution. You’ll need time to get your teams trained and certified to support your new tool and ensure that they are ready to manage this complex and high-stakes transformation. What advice would you give our listeners? If they need to migrate their org to a new solution, where should they start?
A: By now every CISO or CTO should understand that their organization needs an IAM program, whether big or small, or in between, with a proper toolset ensured to align with organizational risk posture, business strategy, and overall IT roadmap. Where to start is not as simple, but it can be by simply understanding the “why”.
Why do you need a modern solution?
- Is it simply because MIM is approaching end-of-life?
- Do you have compliance concerns?
- Do you need to reduce manual processes?
- Do you need a modern identity solution because your competitors have it and are reducing bottlenecks, and are driving more business as a result?
Knowing the “why” is crucial to better understand what the best options and ultimately solutions are. There can be many responses to the “why” but ultimately some are more pragmatic than others.
I would encourage a CISO or CTO with their trusted stakeholder(s) to identify and prioritize three to five of these and ensure there is majority agreement. Seek cross-functional team approval across the organization and then reach out to KeyData Cyber for a quick chat on what we can do to help take your “why” and transform it to a successful, tangible initiative that will provide immediate short-term value-add and long-term benefits.
If your organization is still using Microsoft Identity Manager, schedule a complimentary workshop to assess your security needs and receive a roadmap to a secure, scalable IAM strategy for your organization.
