Decision Maker

FIM: At the Forefront of Identity Management

A look at what FIM, Microsoft's latest evolution of meta-directory services for active directory, might be able to do for your shop.

Several years ago, Microsoft purchased a company called Zoomit, which made a meta-directory product. The idea behind the meta-directory was to add a layer atop Active Directory where you would manage user accounts in your environment. In addition to replicating account changes to AD, the meta-directory could also replicate them to other systems and directories, helping to create a unified identity for your users, easing log-on pains and making for a more consistently configured environment.

Microsoft has subsequently released enhanced versions of the meta-directory product in the past few years, continually adding new features and functionality -- and changing its name almost every time. Microsoft Identity Integration Server became Microsoft Identity Lifecycle Manager, which has now become Forefront Identity Manager (FIM), reflecting the product's position as part of the Microsoft security-product family. You might be surprised by what FIM can offer your organization.

Meta-Directory, Sure
FIM still provides robust meta-directory capabilities through an included set of management agents. It can connect to any version of AD, to Tivoli Directory Server, Novell eDirectory, IBM Directory Server, Exchange Server, Lotus Notes, SAP and more; it also exposes an API so that developers can write custom management agents to integrate with line-of-business or other applications. It can work with any directory that supports LDAP or the Directory Services Markup Language, further broadening the directories and applications it can manage for you.

FIM is designed to enable users to manage some delegated aspects of their own identities through tools such as Office, SharePoint and controls built into newer versions of Windows itself. FIM offers self-service capabilities, such as the ability for users to -- using either a Web-based tool or an interface that integrates with the native Windows log-on process -- perform password resets and account unlocks. This is a must-have capability that can save even midsize organizations a considerable amount of money: Industry estimates are that most help desks spend $30 to service a password-reset call, and that about a third of help-desk calls fall into this category.

FIM provides much-needed capabilities for implementing workflow- and change-management capabilities for identity and access management.

Not the Only Solution
FIM isn't cheap. It requires a 64-bit server and a 64-bit version of Windows Server 2008 or Windows Server 2008 R2; it also requires a 64-bit edition of SQL Server 2008 as its data store. It needs a Web server, such as IIS7, and it integrates with SharePoint Services 3.0 SP1 or later. It needs the latest version of the Microsoft .NET Framework, and mailbox provisioning support requires Windows PowerShell (which ships with Windows Server 2008). FIM itself costs $15,000 per server and $18 per user; even fairly large organizations can get by with one server, and discounts are doubtless available for larger organizations with some bargaining leverage.

Depending on your needs, FIM might not be your only option to access the features I've outlined. Quest Software, for example, offers a solution set in its Quest One family that can give you the same workflow capabilities and self-service features -- even connections to certain non-Windows directories and products.

Still, the capabilities offered by FIM are powerful, and they're definitely a must-have for many companies.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author Evangelist for video training company Pluralsight. He’s the President of, and specializes in the Microsoft business technology platform. Follow Don on Twitter at @ConcentratedDon.


  • Microsoft Clarifies Project Cortex's Scope, IT Controls and Product Delivery in Q&A

    Microsoft recently offered a Q&A session on Project Cortex, its emerging "knowledge network" solution for Microsoft 365 users.

  • How To Use .CSV Files with PowerShell, Part 2

    In the second part of this series, Brien shows how to import a .CSV file into a PowerShell array, including two methods for zooming in on just the specific data you need and filtering out the rest.

  • Windows 10 Preview Adds Ability To Display Linux Distro Files

    Microsoft on Wednesday announced Windows 10 preview build 19603, which adds easier access to installed Linux distro files using Windows File Explorer.

  • Microsoft 365 Business To Get Azure Active Directory Premium P1 Perks

    Subscribers to Microsoft 365 Business (which is being renamed this month to "Microsoft 365 Business Premium") will be getting Azure Active Directory Premium P1 licensing at no additional cost.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.