First Analysis of Microsoft ILM 2

Some days ago, Microsoft announced at its Tech-Ed conference for IT professionals the start of the beta program for its Identity Lifecycle Manager (ILM) Version 2 beta 3. The current version is called “ILM 2007”, and ILM 2 is touted as a significant enhancement. ILM 2 is Microsoft’s most recent addition to its identity management portfolio.

Although general availability is not expected until the first quarter of 2009, this announcement was given significant exposure, and the Tech-Ed conference had many events scheduled around ILM 2. Microsoft is a leading player in the user centric identity management field. However, when it comes to the classical enterprise identity management, Microsoft has significant gaps to fill, and has been falling behind, but shows a desire to aggressively try to catch up, and this announcement is a good indication.

ILM beta 2 is a significant upgrade from ILM 2007 and shifts weight towards the user interface, together with significant improvements around workflow and synchronisation. Whilst ILM 2007 was more of a glorified version of Microsoft's old meta-directory (MIIS) with rudimentary provisioning and smartcard management, ILM 2 now adds significant workflow and self-service capabilities, including password resets. A SharePoint-like management GUI is provided that allows for management of users, groups, credentials and policies. Strong authentication and key card management can be integrated and simplified with Microsoft's CLM (certificate lifecycle manager) co-product.

The idea behind ILM 2 is the management of the typical "lifecycles" of Create - Update - Retire for users, groups, and credentials. Workflows can be set up using a "codeless workflow designer" or a custom workflow with Visual Studio, when the "codeless" approach isn't enough, and code needs to be written. A SharePoint-based console then allows policies to be designed that make use of the workflow and, for example specify who needs to approve which action. The approval process is very nicely integrated within the Microsoft Office environment (specifically Outlook).

Microsoft has opened up ILM significantly through the use of web services and extensible APIs. These can be used "inbound" in order to drive everything that can be otherwise made with the console, and to trigger specific actions. Also, they can be used "outbound" in order to kick off external workflows. This approach is interesting because it effectively turns ILM 2 into a mouldable and versatile component that can either be used as a "connector" to integrate an enterprise-wide or HR-driven identity management with the Microsoft ecosystem, or as the centric identity manager that pushes identity information outward. Even hybrid approaches are possible, where inbound changes can be triggered either via synchronisation events or incoming web service requests.

Two "launch partners" are being mentioned together with the release of ILM 2 beta: Omada and Quest. Both companies have a variety of tools and modules that integrate with ILM 2 and extend it in order to overcome some of ILM's limitations or just to add new functionality.

Given all the buzz about ILM 2, it is rather surprising that Microsoft does not even know how to price and license it - this is currently still "under discussion", and an announcement would be made before, or when the software reaches GA (general availability) status. The ILM 2 beta is given very much exposure already now even though Microsoft has not yet finished its homework on the product. This highlights how important it is for Microsoft to assure its customers that it has a viable identity management strategy with usable products.

Identity Management itself is seen as an important cornerstone of what Microsoft calls "Dynamic IT": a vision to transform IT from a business cost centre to a strategic asset by optimising, rationalising and harnessing technology in a more efficient way. Bob Muglia, Microsoft's Senior Vice President of the Server and Tools Business addressed the large assembled audience at Tech-Ed in his keynote presentation, and talked about Microsoft's vision of Dynamic IT. In the process, he highlighted significant new developments, trends and updates to the product portfolio. Dynamic IT was coined about five years ago, and then it was described as a ten-year vision. According to Muglia, five "good years of work" had passed with five "more good years" left to do.

In a nutshell, today's IT must be driven down to increase business value, the ongoing daily cost must decrease. What should be done with those savings then? Since Dynamic IT is a strategic asset and drives business, the savings would then be used to build new applications to provide the information in order to drive the business.

So how does Microsoft's ILM 2 beta compare with other offerings from competing vendors in the identity management space? After all, several vendors have been offering "identity managers" or even "suites" for years that do similar things.

What ILM does really well is its self-service and, in combination with CLM, the smart-card provisioning functionality. Enterprises typically work hard to overcome complex integration issues especially with the latter. This is very nicely done and well integrated into an overall PKI approach where Microsoft now also integrates easily with third party certification authorities. Needless to say, the integration with the Windows login itself is seamless and supports passwords reset as well as smart card PIN resets and certificate recovery.

If you look under the hood, the picture is not very pretty. ILM is still built on top of MIIS, and internally synchronises data all over the place. MIIS has its own master database, and ILM has its own database, and if you use CLM, that has its own database as well, and for each step you need to synchronise between them. That's neither efficient, nor elegant, and you can virtually see the dust from this antique artefact whirling up when you open the hood. Most experts seem to agree that this is definitely "ripe for a change" in future versions.

The "codeless" workflow and policy configuration is cute, and modestly useful, but organisations who are serious about their workflow will want to supplant it with the plug-ins extensions of Omada's visual workflow, or even The Dot Net Factory's own workflow engine.

Auditing and attestation facilities are at best anaemic when compared to other identity manager packages. However, Microsoft can build on the experience of its partners, especially Omada and Quest, who offer this functionality as a module that seamlessly plugs into the ILM 2 portal.

One of the traditional weak points of Microsoft has always been interoperability. Microsoft's strategy has typically been to focus exclusively on its own ecosystems and to build on the experience of partners. This approach may be valid for other market segments, but within identity management Microsoft had to make some exceptions. For ILM 2 beta, several new connectors were announced, namely for Oracle applications and SAP roles. This instantly fills several gaps, and is very nicely done. In a demo at this years Tech-Ed conference for IT professionals, an example was shown where a SAP Role was assigned to a user from within SAP. This was then detected by ILM, and a workflow was started with an approval process. The demo showed what happened when approval was denied: ILM 2 then undid the change by synchronising the previous state back to SAP.

Overall, the new release of ILM 2 is significant and has the potential to somewhat redefine Microsoft's standing in the classical enterprise identity management field by plugging some holes within its strategy. Many features have been added, although the underlying synchronisation technology is creaky, and we expect its replacement or major rewrite to be a major focus for Microsoft's efforts in the following years. Through the synergy with its partners, especially Omada, Microsoft can now stand up to some of its competitors, and may be invited to more RFPs in this field once the word is out. Since Microsoft's general release cycle is between 24-36 months, additional features will most likely come from Omada or other partners that jump on the ILM 2 bandwagon. Kuppinger Cole is now eagerly awaiting Microsoft's announcement on pricing for ILM and CLM versions, as well as the reactions of some of our customers to the experience they are making with the beta software.



KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

KuppingerCole on social media

Subscribe to our Podcasts

KuppingerCole Podcasts - listen anywhere


How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00