What’s FIM all about?

Agenda What is FIM Why are we implementing FIM How is FIM related to Office 365 What will FIM do How does FIM differ from ILM (current solution) What does FIM mean to administrators What does FIM mean to users When will FIM be implemented

What is FIM? Microsoft Forefront Identity Manager Identity Management Applies business rules to provision and de-provision BLUE Accounts Recognizes HRMS, Banner, and Guest table as authoritative source systems Manages accounts for alumni and retirees Manages address lifecycle Better manage guest accounts with and without

Why are we implementing FIM Product upgrade to ILM Has been running at CU for over 3 years Office 365 required changes to accounts to AD Fixes logic in ILM that never worked Better manages to deletion of abandoned accounts Adds functionality that was not included in ILM Centralizes logic in FIM Simplifies complex licensing requirements from Microsoft Enable to University to offer to alumni and retirees

How is FIM related to Office 365 Office 365 requires accounts to be configured in a specific way FIM writes and manages attributes in AD required for Office 365 FIM and Office 365 can exist without each other FIM streamlines management of AD accounts, Microsoft licensing, and mailbox management Students have migrated to Office 365 without FIM, but we did have to make manual adjustments to accounts to make this work. These manual adjustments could not be managed long-term FIM makes it easier to manage accounts in the manner required by Office 365

What will FIM do? Primarily FIM creates, manages, disables and deletes AD accounts in accordance with business rules. Creates hidden accounts for accepted students Unhide accounts when student enrolls Maintains student account based on Banner data Manages guest accounts based on start and end date Manages employee accounts based on HRMS data Manages all changes to students, employees, and guests Maintains specific attributes required by Office 365

How does FIM differ from ILM ILM is fed by three ‘feeds’ so it does not know if a person is both a student and employee FIM is fed by a single ‘feed’ with with data about students, staff, and guests ILMs Logic is contained in ILM and in the ‘feeds’ it gets from HR, Banner, and Guests FIMs logic is contained within FIM FIM will do the same things that ILM does, just better

What does FIM mean to administrators? ILM created new users in MigratedUsers OU and adminstrators could move the account to their own OUs Resulting in user objects spread inconsistently across the AD FIM will move and create all users in the UserObjects OU Microsoft best practice for AD management Group Policies Objects applied to user accounts must be updated GPOs applied to computer objects will not be affected All other AD permissions and clean up have nothing to do with FIM

What does FIM mean to users? FIM will handle changes to user much better than ILM Ex. When someone changes their name with HR the name change will be processed by FIM and a new address will automatically be created Manages the AD account throughout all stages in the lifecycle of a user FIM allows alumni and retirees to keep their AD accounts FIM allows for addresses to be tied to an individual just like NetID If a former student comes back to CU years later as a faculty member they will get their same address

When will FIM be implemented? Soon We are in the final stages of testing Project started last Fall We had hoped to get FIM turned on in time for graduation Admissions offices and Alumni offices create unique challenges on the activation of FIM Once FIM is live all new account will be created with mailboxes in the ‘cloud’

Q&A Any questions?