Transition from MIM to HyperSync in 4 steps

A successful transition from MIM to HyperSync comes down to careful planning and execution, whether you're an Identity Panel customer or not. This guide is designed to assist customers about to make this transition, and explains the four steps involved.

1. Assess your IAM Maturity

If you haven't done one already, start with a quick IAM Maturity Assessment.  This is key to not only establishing the business case you might need, but also identifying any gaps between your Current and Target IAM state.  Whether or not you have already the Identity Panel Suite with MIM, SoftwareIDM and our partners can help you identify tangible benefits from addressing these gaps in a prioritized way.

An existing Identity Panel site with MIM may expose gaps where platform gains alone may be enough to establish the business case for the upgrade.  Alternatively, your identified target state might demand that you augment what you already have with additional Identity Panel Suite features such as Access Panel and/or Service Panel.

2. Document Current State

The next step is to take a closer look at the configuration already in place.

For any existing MIM environment we recommend you start by collating the following:

• For sites where the MIM Sync Service is installed (almost all of them) ...
  • MIM Sync Server config (exported from your MIM Sync service)
• For sites where the MIM Service/Portal is installed (not everyone has this) ...
  • MIM Service Schema and Policy exports:
    • ExportSchema.ps1 | GitHub
    • ExportPolicy.ps1 | GitHub
• Output from microsoft/MIMConfigDocumenter | GitHub … specifically, a DIFF report comparing the above XML config files to the baseline configuration version 4.4.1459.0 (supplied with the tool, this precedes the default BHOLD policy, so expect some "noise" in the report)
  • Note that as per the guidance you will need to specify the reportType patameter to suit your environment:
    • SyncOnly for only a MIM Synchronization Engine
    • ServiceOnly for only the MIM Service and Portal
    • SyncAndService for both
• Any rules extension and custom workflow libraries presently in use (obtain source code if you can)
• Any operations scripts and configuration files
• A report of the latest MIM Sync errors and failed requests

Then, if you have Identity Panel already deployed, add to this the exported JSON of the configuration (Settings / Settings History / Download All Current Settings):

3. Document your Target State (uplift Requirements)

Having assessed your maturity, you now know what successful HyperSync implementation looks like, are you able to articulate a clear set of numbered requirements against which you can measure success?  From experience, it is generally unwise to just assume that your current MIM solution when coupled with HyperSync must already be meeting whatever they are, and therefore you don't need to worry. This is especially true if your MIM solution has been in place for a number of years, most likely before Zero Trust was a concept.

A better approach instead is to take the time to come up with a list of functional and non-functional requirements, then take a critical look at exactly how well they are being met by your current MIM platform (with or without Identity Panel).

No two MIM implementations are ever the same, and that's because everyone's IAM needs are different, or at least expressed in a different way.  However, at SoftwareIDM we've developed the SoftwareIDM Patterns and Practices Toolkit which we believe represent the most common requirements broken out into a hierarchy under broad joiner/mover/leaver (JML) categories, along with operational considerations.  By using the Toolkit you can then cross-reference your own numbered requirements against them, and in some cases inspect the HyperSync implementation patterns that we believe provide the soundest approach to implementation.

This approach means that what could otherwise lead to the invariable "analysis paralysis" instead becomes a straight-forward correlation exercise.  As a result you will understand what degree of overlap you have with our pattern library, disregarding the things you don't need, or adding new things of your own.

Take care at this stage not to dismiss any requirement as invalid - far better to raise them with us or our experienced IAM solutions partner.  It may be as simple as identifying an extra Entra feature to consider, or applying some other infrastructure or technology that you may already have in a slightly different way. At the very least mark it as out-of-scope for the time being.

The above will help us prioritize, quantify and scope the work effort required.

4. Map out an Approach

One of the benefits of the Identity Panel Suite is that it allows a phased implementation instead of forcing you into a "big bang" style transition.  Regardless, the platform also provides you with an Operational and Migration Safeguard to ensure your transition is clean, and any outage is minimized.

Based on experience, a typical HyperSync Migration approach would look something like the following (simplified for one Non-production and one Production operational environment):

1. Implement Identity Panel (IdP)
   If not already present, we believe overlaying Identity Panel (IdP) on your existing MIM platform is the obvious first step.  This will give you the following immediate benefits:
   • Purchase licenses from SoftwareIDM (including new Azure Marketplace option)
   • Read product documentation relating to the deployment, including
     • Design
       • Service Panel Architecture – SoftwareIDM (identitypanel.com)
       • Designing your SMTP architecture – SoftwareIDM (identitypanel.com)
       • Service Panel Audiences – SoftwareIDM (identitypanel.com)
     • Installation 
       • Install MongoDB – SoftwareIDM (identitypanel.com)
       • Install Identity Panel – SoftwareIDM

       • Install and Configure MIM Test – SoftwareIDM (identitypanel.com)

       • Configure Panel Service for use with a GMSA – SoftwareIDM (identitypanel.com)
   • Configure tenant to host Identity Panel (preferred) or configure hosting server virtual infrastructure (incl. certificates, firewall rules, service accounts), for all environments including non-Production (at least one) and Production
   • Implement MIM and/or AAD Connect Providers (non-production), plus any other relevant providers (e.g. Workday, ServiceNow, Salesforce, etc.)
   • Implement Join rules for all Providers (MIM and/or AAD Connect at a minimum) to enable Time Traveler and audit change history prior to migration across entire identity landscape
   • Streamline configuration migration using global environment settings and changes history
   • Configure Identity Panel for MIM operations with built-in dashboards, scheduling (with optional thresholds) and pending changes reporting
   • Implement extensions for Health Checks
   • Configure Test Panel for automated regression testing and automated deployments (optional)
   • Configure Service Panel for custom forms to assist in the transition (optional)
   • Export configuration and deploy (inactive) to Production, updating imported environment variables to match
   • Bring Production configuration online and decommission existing MIM operations (e.g. scripts, Task Scheduler, etc.)
2. Implement HyperSync Panel (Inbound)
   Configure HyperSync side-by-side with MIM Synchronization to achieve rule convergence (Non-production)
   • Hyperverse schema to match your MIM Metaverse schema (to drive inbound convergence)
   • Add a Provider for each system connected to MIM via a Management Agent
   • Configure join rules for each new Provider
   • Inbound attribute Flow rules and rule sets, with custom functions and rule precedence for each of the following:
     • Each MIM Management Agent to be migrated
     • MIM Service Management Agent
     • Any additional contributing sources (e.g. Azure for M365 group membership)
   • Stateful sync rules and rule sets (can be initially disabled and progressively brought online)
3. Implement HyperSync Panel (Outbound)
   Extend HyperSync side-by-side with MIM Synchronization to achieve rule convergence (Non-production)
   • Outbound attribute Flow rules, workflows and rule sets, with custom functions and rule precedence (initially disabled for progressively bringing online)
   • Enable HyperSync outbound rule sets in SIMULATION MODE
   • Design operations schedules
   • Disable MIM outbound attribute flows
   • Run the HyperSync Actions Report (filtered on Simulation Mode only)
     • Refine rules/rerun until rule convergence (no net changes pending)
   • Design and execute regression Test Cases (optional)
   • Simulate and commit selected identity outbound flows individually
   • Set global Simulation Mode prior to migration
   • Export configuration
   • Update GIT repository (best practice)
4. Migrate configuration to Production
   Deploy in the following sequence:
   
   • Environment Settings Settings - Identity Panel
   • Providers Settings - Identity Panel (depends on #1 Environment)
   • Extensions Settings - Identity Panel (depends on #2 Providers)
   • Join Rules Settings - Identity Panel (depends on #2 Providers)
     • Run data scans ONLY after this step!
   • Dashboards Settings - Identity Panel
   • Email (Panel Service) Settings - Identity Panel
   • Security Settings - Identity Panel
   • Extensions Settings - Identity Panel
   • HyperSync Panel Settings - Identity Panel
     • After import immediately go to HyperSync Panel Settings - Identity Panel
     • Confirm "Simulation Mode" ON (bottom right of section)

       

   • Reports Settings - Identity Panel
   • Schedules Settings - Identity Panel
   • Service Panel Settings - Identity Panel
   • Test Panel Suite Settings - Identity Panel
5. Initial Data Load and Synchronization
   • Perform schema scans with each directory provider.
   • Edit partition selections
   • Set Condition Rules
   • Perform Data scans of each provider with Panel Tool
   • Use Time Traveller to Validate joined data
6. Verify and Enable HyperSync (go-live part #1)
   • Enable import rules for HyperSync and Perform full syncs to populate Hyperverse
   • Enable Export Preview and preview select accounts to Verify Pending Exports/Operations
   • Enable Global Simulation Mode and run full synchronization (set checkbox ON/CHECKED)
     • Note: should already be disabled!
   • Run the HyperSync Actions Report (filtered on Simulation Mode only) to verify Pending Exports/Operations
   • Make configuration edits as needed
     • Refine and rerun report as often as needed until convergence achieved
   • Preview Commit Changes for selected accounts to verify exports/stateful provisioning
   • Provide heightened support
   • Generate Documentation, such as
     • As Built
     • Operations Guide
   • Deliver training
7. Migrate MIM Portal Functionality - Custom Forms
   1. Design Service Panel dashboards and forms, with projected datasets from Identity Panel (Non-production)
   2. Implement workflows and any HyperSync actions (e.g. direct updates to Hyperverse, including any required auxiliary attributes - see selected patterns from the Toolkit)
   3. Identify MIM Policy for obsoletion
   4. Design and execute regression Test Cases (optional)
   5. Export configuration
   6. Update GIT repository (best practice)
   7. Deploy to Production (details to be prepared separately)
   8. Obsolete superseded MIM policy
   9. Update documentation and provide training
8. Migrate MIM Portal Functionality - Access Governance (IGA)
   1. Design Access Panel dashboards and forms (Non-production)
   2. Implement Access Panel, including any user, group and other resource mappings
   3. Identify MIM Policy for obsoletion
   4. Design and execute regression Test Cases (optional)
   5. Export configuration
   6. Update GIT repository (best practice)
   7. Deploy to Production (details to be prepared separately)
   8. Obsolete superseded MIM policy
   9. Update documentation and provide training

Be sure to practice and refine the above process with your own environment before your own go-live, as there are invariably going to be additional steps that will be unique for you.