I recently learned that at Microsoft, employee ID badges double up as Smart Cards. These are used for performing tasks that need 2FA, such as password resets, signing docs etc. I was curious as to how they achieved it, and I came across a rather powerful, yet relatively obscure tool called Microsoft Identity Manager 2016.
Microsoft Identity Manager (or MIM) is a replacement for Forefront Identity Manager (FIM) built as a mostly ground up rewrite of the platform. Despite a lot of exposure to the Microsoft ecosystem, this is a tool I’ve never come across.
The idea is to centralize employee management, pulling data from places such as Active Directory, and allowing it to be used with Smart Cards, enabling Self Service Password Resets/Recovery, assigning Certificates, Priviledged Access Management and more, all while being Cloud Ready (Azure MFA, Azure AD etc).
I’m still setting this up to see how it works in practise, and it’s no simple task. It requires IIS, SQL, Sharepoint and optionally Exchange. While I don’t mind the first two, Sharepoint and Exchange are both platforms I’ve never experienced, so we’ll see how that goes. The platform uses Sharepoint for the frontend side of the password recovery tools, and Exchange is used for sending out password resets etc as far as I can tell. So far it’s allowed me to use O365 in place of Exchange, and I don’t see any loss of functionality.
I’ve been investigating Smart Cards for Windows login for a while now, and this could prove a useful tool if I can get it to work. Either way I’ll be sure to put something up once I’ve had a proper chance to use and play with it!