A SoftwareIDM Pattern documentation article

Business case/problem description

The end of support date for Microsoft Identity Manager (MIM) 2016 has been extended from January 13, 2026 to January 9, 2029 for Azure Active Directory Premium customers. However, for several years now Microsoft has been in the process of retiring this MIM, and customers looking to transition to an alternative viable platform are rightly concerned about the time and effort that will be required to rebuild their unique implementation configurations.

SoftwareIDM customers who have already implemented the Identity Panel Suite are already safeguarding their MIM operations, with many also having used Uplift component of the Identity Panel Framework to consolidate their business logic in a single platform, whether hosted or on premises.

Prior to the advent of HyperSync, the only option was to run Identity Panel in conjunction with MIM. Now that there is a complete replacement option, more organizations are turning to SoftwareIDM and its partner network to make the transition off MIM, and want to understand more about the process involved.

However, as with any undertaking of this nature, the cost can be higher than expected, and this can be for a number of reasons, particularly difficulties associated with older MIM platforms such as:

• understanding, extending and supporting the existing MIM solution
• finding expert technical assistance
• finding the solution no longer meets their business needs
• losing sight of the original business requirements completely
• not having the time to do anything about it

For many of these customers the MIM custodian (or established SME) has already left the organization, sometimes with multiple handovers having already occurred. This has forced some customers to abandon MIM altogether in favour of a popular alternative. However, in some cases former MIM customers are now regretting the lack of certain IAM capabilities in their new platform.

With HyperSync, SoftwareIDM has ensured that the features that both MIM implementers and operators consider most valuable are incorporated in the product. But most are still wondering exactly what effort is required to get there.

SoftwareIDM has long acknowledged the effort required to move from MIM to anything else is going to be a lot more for some customers than others. This is because MIM has been implemented for organizations

• with a head-count ranging from the low 100s to the millions
• with IAM business rules from simple to highly complex
• with deployments from 1 to many server configurations, sometimes in multiple continents
• with none to many non-production environments

For many, the temptation might still be to do nothing but wait and hope for an answer. After all, why would anyone want to move off MIM at all? If it ain’t broke, why fix it? Right? Right??

Introduction to solution pattern/feature

SoftwareIDM is pleased to be able to significantly simplify your transition to HyperSync by providing a script-based migration pattern.

The pattern involves the following steps, and should be undertaken as part of the published migration methodology.

• Using MIM Uplift to import your MIM configuration into Identity Panel
• Preparing the Identity Panel and MIM prerequisites for the migration process
• Generating and importing Identity Panel and HyperSync configuration
• Testing your solution and troubleshooting, including using the As-Built documentation.

Pattern licensing and features used

Effort estimate (guideline)

Notes

• In most cases HyperSync configuration should be expected to be incomplete, but still execute without error
• Typical follow-up configuration would include
  1. Implementation of Custom Rule Functions stubbed from rules extensions
  2. Troubleshooting any errors (e.g. steps missed or performed out of sequence)
  3. Addressing any issues identified as WARNING alerts in the As-Built documentation

Prerequisites

1. Create a new working folder on your local server, e.g. C:\temp\DEMO
2. Copy . from the SIDM Scripts folder
3. Paste to the working folder
4. Unblock the file Convert-MIMtoHS-Provider.ps1
5. Extract *.xml from the copied (sample ILM2007 server config) Demo.Server.zip file to a working server sub-folder, e.g. C:\temp\DEMO\server.

Notes:
1. If you are working with your own FIM or MIM server configuration, paste these files into your server instead.
2. When uploading or downloading files from Identity Panel, use this working folder at all times in the process described below.

Instructions/walkthrough

1. Ensure that there is at least one correctly configured AD provider in your current (baseline) Identity Panel configuration (with Environment variables as necessary)

   IMPORTANT: This must be a working connection with scanned data already present - all AD providers will then be cloned from this provider

2. Create a new MS Sync Connection provider to use as a placeholder for your MIM Sync configuration to reference
   1. Browse to Settings/Providers (~/settings/providers)
   2. Select MS Sync Connection from the Select Type dropdown (bottom of page) and click the +New button next to it
   3. Give the provider a name, e.g. MIM Sync company name
      
   4. Set the value for both Sync SQL Instance Name and Portal SQL Instance Name values to NA
   5. Clear the Provider Enabled checkbox (bottom of provider settings)
      
   6. Click the save button in the floating toolbar - adding New company name MS Sync provider in the comments so you can later find this in the Identity Panel Settings History and confirm Success.
      
   7. Refresh to ensure the new MS Sync Connection is now present at the bottom of the list
   8. Browse to Settings/Uplift for MIM (~/settings/upliftsettings)
   9. Click the +New button to create a new Uplift for MIM configuration and select the newly created MIM Sync company name provider from the list
   10. Click the save button in the floating toolbar and confirm Success:
       
3. Create an empty folder on your MIM server and export your MIM Sync Server config (MV.xml + multiple MA.xml files) to that folder
4. Create a new working folder C:\temp\xxx on your local file system (or if you prefer you can work directly on your MIM server provided it can access the internet).
   1. Copy the exported MIM server configuration to a subfolder (e.g. C:\temp\xxx\server)
   2. Browse to the SoftwareIDM Box Scripts File Share and download a copy of the following files:
      • Convert-MIMtoHS-Provider.ps1
      • TransformFragment.xsl
5. Upload all exported MIM Sync Server files (XML) to your Identity Panel (IdP) instance:
   1. Browse to Settings/Uplift for MIM (~/settings/upliftsettings)
   2. Click on the Upload MIM Configuration button
   3. Select the new MS Sync Provider (e.g. MIM Sync company name) from the MIM Provider list
   4. Click on the Choose MIM Config button and browse to the folder containing your MIM Sync Server config (MV,xml + multiple MA.xml files)
   5. Select all M*.XML files and click the Open button
   6. Click the Ok button and confirm Success
   7. Expand the new Uplift for MIM entry (e.g. MIM Sync company name) and confirm all uploaded MA definitions are present along with Metaverse Import Flow, e.g.
      
   8. Confirm there is at least one AD MA in the list by expanding and inspecting it - and check to see if there are any Export Flow Rules, Filter Rules and Projection Rules present
6. Download the imported MIM config from the target MIM Uplift package to the -mimJsonFile file (JSON format) in the -workingFolderPath folder:
   
   
   1. Browse to Settings/Uplift for MIM (~/settings/upliftsettings)
   2. Click on the file download button in the Flow Editor panel for your new MS Sync Provider (e.g. MIM Sync company name) - to the right of the strip

      IMPORTANT: do NOT use the Download Config Package button - this is for a completely different purpose that is not part of this exercise.

   3. Give the file a name (e.g. Uplift_DEMO_MIM) and wait for the download to complete
   4. Locate the download .JSON file in your Downloads folder - it may have a (##) appendix if one already existed
   5. Select the properties of the file and set the Unblock checkbox

      IMPORTANT: the Unblock checkbox should ALWAYS be cleared after downloading any config file to avoid file protection errors.

   6. Move the downloaded .JSON file to your -workingFolderPath folder
7. Download the existing IdP Provider config to the -providersBaselineJsonFile file in the -workingFolderPath folder via the Settings/Providers (~/settings/providers) page - file download button in floating toolbar
8. Download the existing IdP Environment config to the $environmentBaselineJsonFile file in the -workingFolderPath folder via the ~/settings/environment page - file download button in floating toolbar
9. Download the existing IdP Join Rule config to the $joinBaselineJsonFile file in the -workingFolderPath folder via the ~/settings/joins page - file download button in floating toolbar
10. Download the existing IdP HS Rule config to the $hyperSyncBaselineJsonFile file in the -workingFolderPath folder via the ~/settings/hypersync page - file download button in floating toolbar
11. Look up the GUID (string format) for the -hvSiloID parameter you will need to supply (use the RuleTester to extract this for special.Identity Silo.Hyperverse)

    1. Browse to Settings/Test Panel (~/settings/mimtest)

    2. Select Rule Tester (top menu)

    3. Paste special.Identity Silo.Hyperverse into the Value Rule

    4. Click the Render button

    5. Open the PowerShell ISE

    6. Paste the following script into the Untitled.ps1 window, where xxx is the unique name of your configuration (adjust as required)

       C:\temp\xxx\Convert-MIMtoHS-Provider.ps1 -workingFolderPath "C:\temp\xxx" -hsSchemaPrefix "xxx_" `
           -hvSiloID "<special.Identity Silo.Hyperverse>" `
           -providersBaselineJsonFile "Providers_Baseline_xxx.json" `
           -hyperSyncBaselineJsonFile "HS_Baseline_xxx.json" `
           -joinBaselineJsonFile "JoinRules_Baseline_xxx.json" `
           -environmentBaselineJsonFile "Environment_Baseline_xxx.json" `
           -mimJsonFile "MIM_Uplift_xxx.json"

    7. Select the guid value returned in the Rule Value result (browser)

    8. Copy to the clipboard

    9. Paste into the hvSiloID parameter

    10. Specify values for any remaining parameters if you wish to override any of the defaults …

        -workingFolderPath # Full file path to the folder containing all JSON upload and download files
        -mimJsonFile # Exported MIM (Uplift) JSON
        -hvSiloID # (REQUIRED) Hyperverse guid - must be supplied (use the RuleTester to extract this for "special.Identity Silo.Hyperverse")
        -providersBaselineJsonFile # Exported Provider JSON file
        -providersMIMJsonFile # Generated Provider JSON file, defaults to "Providers_MIM.json"
        -hyperSyncBaselineJsonFile # Exported HyperSync JSON file
        -hyperSyncMIMJsonFile # Generated HyperSync JSON file, defaults to "HS_MIM.json"
        -joinBaselineJsonFile # Exported Join JSON file
        -joinMIMJsonFile # Generated Join Rules JSON file, defaults to "Join_MIM.json"
        -environmentBaselineJsonFile # Exported Environment JSON file
        -environmentMIMJsonFile # Generated Environment JSON file, defaults to "Environment_MIM.json"
        -convertADOnly # Convert only MIM <=> AD flows (initial version limitation only)
        -delayHSCreation # Skip HS configuration file creation (to support initial discovery phase), defaults to $false
        -hsSchemaPrefix # HS object schema prefix, defaults to "SIDM_" (to avoid overwriting existing schema - but can be set to "" for a greenfield HS deployment)
        -hsDefaultRuleSetName # Default RuleSet name, defaults to "MIM Uplift" (to avoid overwriting existing rules - but can be set to "Default" for a greenfield HS deployment)
        -xsltPath # XSL transform for converting embedded MIM function XML into MIM Portal rules expressions

        !!! IMPORTANT - be sure to specify a non-blank hsSchemaPrefix parameter if you have existing HS schema and rules !!!

    11. Run the script

    12. Take note of any WARNING messages returned by the script, e.g. 

        1. WARNING - Parameter hsSchemaPrefix not supplied …
           This is a prompt to confirm the intent to use NO prefix before continuing with execution of the script.
        2. WARNING - multiple join attributes present in MIM config for MA …
           The script does not support multi-attribute joins in MIM, and will only migrate the first join rule in MIM, and you will need to extend this as required by hand afterwards.
        3. WARNING - join on expression …
           The script does not support joins on rule expressions in MIM, migrating only the (first) join rule in MIM as a direct match, and you will need to extend this as required by hand afterwards.
        4. WARNING - Deprecated MIM Feature …
           The script will check for the presence of key deprecated features in MIM (e.g. Equal Precedence). While you can still continue with the conversion, you should discuss any implications with either SoftwareIDM or a Partner afterwards.

    13. Use Windows Explorer to confirm that the 4 expected *_MIM.JSON files have been generated as expected.

12. Upload the generated -providersMIMJsonFile file in the -workingFolderPath folder via the Settings/Providers (~/settings/providers) page - file upload button in floating toolbar
    
    
    1. On successful upload, inspect the Providers page and confirm at least one new Directory Connection is present for your new configuration
    2. Confirm that all expected AD providers have been created - and that no existing one (of the same name) has been overwritten (in which case recover from history)
    3. Note that the Partitions to Include must be left as your existing (scanned) AD MA partition
    4. Expand and inspect the Objects and confirm the schema is as expected, e.g.
       
13. Load the new provider with AD data

    NOTE: If strictly following the guidance so far, this will be a clone of the existing AD provider, but with the schema imported from the MIM configuration. While no data will be present if the imported MIM AD schema does not match the existing objects and attributes exactly, this process will not generate any errors. This allows us to complete the foundational HyperSync configuration before loading the correct.
    Alternatively, if not in a lab context, you may be able to connect to the same data source matching the original MIM connection.

    1. Connect to the server hosting PanelService over RDP
    2. Restart PanelService (Services console)
    3. Run PanelTool (~\Program Files\SoftwareIDM\PanelTools\PanelTool.exe)
       
       

       Note: If (as in the screenshot) there is a warning to upgrade Panel Tools, this can be done by following the guidance in Panel Tools and Upgrade

    4. Select the correct menu option to run a Schema Scan followed by a Data Scan for each new Provider using PanelTool
    5. Monitor the ~/history page to confirm the scans have completed without error
    6. Click on the Time Traveler V drop-down button to display a list of known providers for your Identity Panel instance.
       
    7. Select your new (MIM-converted) provider from the Search Silo drop-down:
       
    8. Click the Search button, and confirm that the expected data is present:
       
       

       Note: if data is not present check that there were no errors in the history, and double-check that you have scanned the correct provider with PanelTool.

14. Overwrite the original Panel Provider baseline JSON file and rerun the script
    1. Browse to the Settings/Providers (~/settings/providers) page and repeat step #7 using the file download button in floating toolbar to download the updated IdP Provider config over the top of the existing -providersBaselineJsonFile file in the -workingFolderPath folder.
    2. Re-run the script - same parameters as in step #11 (but with the updated providers file so we get the latest Identity Panel silo guids!!!)
    3. Use Windows Explorer to confirm that the 4 expected *_MIM.JSON files have been overwritten as expected.
15. Upload the generated -joinMIMJsonFile file in the -workingFolderPath folder via the ~/settings/joins page - file upload button in floating toolbar
    1. Confirm success - there should be new Join configuration for your converted MIM configuration
16. Upload the generated -environmentMIMJsonFile file in the -workingFolderPath folder via the ~/settings/environment/functions page - file upload button in floating toolbar
    1. Confirm success - if referenced MIM rules extensions were detected there should be corresponding new Custom Rule Functions created (prefixed if -hsSchemaPrefix was specified) as stubs for your converted MIM configuration.
17. Upload the generated -hyperSyncMIMJsonFile file in the -workingFolderPath folder via the ~/settings/hypersync page - file upload button in floating toolbar
    1. Confirm success - there should be new HyperSync Panel configuration for each of the Attribute Flow and Stateful Sync tabs:
       
    2. Expand each Rule Set and ensure integrity is OK.

Testing

1. Browse to the ~/settings/hypersync page and enable the <your schema prefix>MIM Uplift - Inbound Attribute Flow Rule Set
   1. IMPORTANT: if you omit this step you may see the following error raised when you try to perform a Synchronize (in Simulation mode):
      
2. Click on the Search Time Traveler V button and select one of the new providers from the Search Silos list.
3. Click Search to display a list of AD objects (cloned from the existing AD provider but as yet unjoined).
4. Select a user object from the list (click on the DN).
   
5. Click on the pencil icon in the AD silo object header to display the Data Tools dialog.
   
6. Expand HyperSync Panel and click the Synchronize button.
   
7. Inspect the Errors band - there should be none now that the Custom Rule Functions are being stubbed - but if there are see TROUBLESHOOTING below.
   
8. If no errors, clear the Preview Sync checkbox and click the Synchronize button a second time to commit the (default) changes, then close the Data Tools dialog and refresh the browser - if at least one inbound flow rule was in scope there should now be a HyperVerse silo for your synchronized user.
   
9. Browse to ~/settings/versioncontrol and search the As-Built report for any WARNING messages (uppercase).
   
10. Determine how many Stub functions will now need to be written by searching the As-Built report for any TBC Stub references (case sensitive browser search).
    

Troubleshooting

1. If during any of the steps from #8 onwards there is an upload error, use the ~/settings/versioncontrol As-Built documentation to search for WARNING and resolve any broken existing config and restart from testing step #4.
2. If still getting errors, edit the generated JSON data to remove all but a small subset of the definitions and use a process of elimination to identify the root cause(s).
   

   NOTE: this process has been tested with a limited number of existing MIM server configurations and there may be something we haven’t seen before in yours. If assistance is required with the execution of this script please raise a ticket with SoftwareIDM Support