Tuesday - Identity @ Microsoft and the new lifecycle manager.

Hey, it's tuesday and after a fine "fishermans stew" feat. spineys (ask later) I'm still here. It's very sunny and despite the temptation to go to the beach, I find myself in an Identity management session.
Do Microsoft eat their own dog food? We'll kinda, but only a bit of the tin turns out to be the answer. It's more "do as I say" rather than "do as I do". For example they have no limits on the number of machines that can be joined to the domain by staff, no naming standards and a whole bunch of PCs / user combinations. (e.g 1 developer = 8 PCs, 1 receptionist = 0.33333PCs!). they also have a multi forest / domain architecture which isn't how it's supposed to work in any books i've read.

They do however use their identity integration server product which I guess is a bit of dog food. They have some guiding principles / tips, which seem to go a little something like this:

• AD should not be authoritative for anything (almost, aside for DNS / Computer account… stuff that’s only in AD (that's like what we think)
• User account live in account provisioning system (like groupman!)
• There is a Self service drive (user / Group management) - not like us
• They deal with deleted accounts by moving them to a locked OU in AD for a bit - not like us
• They run multiple MIIS instances to deal with policy problems… who can re-activate your account to access information / HR / legal etc.
  3 MIIS instances are running. 1 x MIIS for user (provis / deprovis) . 1 x Security Group etc. 1 x Topoligy

The key challenges seem to be the same as we've already identified, questions such as:

1. How do you enforce business logic?
2. How do you define which data is authorititive?
3. How do you deal with exceptions?
4. What about single IDs?
5. Reuse of accounts?

This is not an exhaustive list, so I asked a few questions...

Q. What exactly is your account management system?

A. It's an in-house writen app in .net with SQL Server 2005 back end (sound familier?)

Q. How do you deal with workflow, scheduling

A. You can do a lot of things in MIIS but for really complicated things then you need to fall back on the code. Things like outlook notifications and approval work as standard, but more than that there is work to do in MIIS. In the next generation of the product a lot more of this is covered.

Q. What other systems do you provision from / to

A. Not much. SAP holds all the empoloyee data (including non Microsoft staff) and provisions to AD / Exchange. Anything else is handled elseware.

Q. What role based provisioning are you doing?

A. None. We tried to get role based provisioning working for security groups, but because of the 1000 security group limit, it was too difficult.

So What does this all mean for ISS and our UIM project. Well, I would say that the product they will bring out in Q4 2008 will be a lot better and will address things like strong interop with the .net framework and MS Workflow engines. But in my opinion they are still running behind other players in this market. We should include MS in our thinking, but not worry too much if they dont make it for now.