When to use Microsoft Identity Manager Over Azure Active Directory Connect?

Paul Colmer

Paul Colmer is the lead digital architect ALC Training and Consulting. He is responsible for creating and running all the cloud security courses, which include CCSP, AWS, Azure, Office 365 and cloud foundation certifications.

Firstly, let's establish Azure Active Directory (AAD) is used for:


 In a nutshell, it allows you to create federated and synchronised contact information between one or many active directory domains with one or many Azure active directory domains.

Here is an example of where you could use federation using AAD Connect.  This is part of a wider architecture that allows you to integrate your SCOM monitoring data with Azure Log Analytics in OMS, using multi-factor authentication:

The predecessor to Microsoft Identity Manager is Forefront Identity Manager, known as FIM, and with mainstream support ending in October this year and end of life expected in 2022.

MIM has all the features of FIM plus a few more.  Here is a great overview of MIM, which builds on the existing FIM features.

From my own experiences with FIM, MIM and AAD Connect, my thoughts are that it depends on the specific level of control you need. 

For example, if you have customised your Active Directory schema heavily and you have apps in your forest that use these customised data items, then you'll likely need more control and flexibility with your on-premise AD to Azure AD data synchronisation settings.  Especially if you decide to move or migrate the apps that are utilising the custom meta-data, to the cloud.

Another use-case is if you wish to use one of the inbuilt connectors to help federate between internal systems and AD on-premise.  FIM comes with 3 connectors for example: 

  • Lotus Notes
  • Oracle Business Apps
  • SAP

Microsoft Identity Manager does a great job of allowing you set custom synchronisation rules to provide that level of granularity.  This article is based on the FIM sync rules, but still applies to MIM.

Unfortunately, AAD Connect is also a moving target with features being constantly released that make it less feasible to use MIM.

After a bit of digging around to find out the specific use cases, I found this great article on TechNet.

It clearly outlines all the key features that AAD currently support and that FIM supports.  As you can see there are many features that are marked in AAD as 'future release'.  But at the time of writing the following features were only supported with MIM:

I also found this incredible resource, with outlines very clearly all the architectural patterns that are supported with AAD Connect.

And here are some of the diagrams from the link showing the patterns:

And there you have it.  A very quick summary of resources that will help you decide whether to go AAD Connect or MIM for your organisation.

I always recommend the to start with a test setup of AAD Connect and a copy of your on-premise AD and simply identify several different use-case scenarios that you currently encounter. 

I think it's most likely that 80% of the time AAD Connect will be enough.  The 20% being service providers hosting multiple clients with complex active directory requirements, or companies that have 100's of domains spread across several countries, with connections to internal systems for advanced identity federation.

And yes, some clients really do have 100's of domains…..

Paul Colmer is the lead digital architect ALC Training and Consulting.  He is responsible for creating and running all the cloud security courses, which include CCSP, AWS,  Azure, Office 365 and cloud foundation certifications.  For more information visit: https://www.alctraining.com.au/courses/cloud-computing/

Or engage with Paul on his crazy adventures on twitter: @musiccomposer1 using the hashtag #CCSP

Tags: Microsoft, azure, Microsoft identity Manager (MIM)

Show Comments