Microsoft Bhold Forefront Identity Manager [EOL] Review

The SharePoint-hosted web UI lacks the features one would normally expect but it does have a PowerShell-aware web API.

What is most valuable?

  • Extensible and reliable identity provisioning and synchronisation
  • Extensible workflow and policy engine
  • Extensible delegated access management platform with web UI
  • PowerShell-aware web API

How has it helped my organization?

I consult in the implementation of this product for my customers. I advised where improvements are needed to improve operational efficiency, security compliance and transparency of policy.

What needs improvement?

The SharePoint-hosted web UI, while functional, lacks the features one would normally expect of a modern web application when used in its vanilla form. The BHOLD suite, which is an optional extension for RBAC modelling, should not be implemented without substantial budget being set aside for investment in additional training and understanding, and ensuring access to specialist resources is available when required.

For how long have I used the solution?

I've been using FIM 2010 for five years, and prior to that another five years between the 2003 and 2007 versions.

What was my experience with deployment of the solution?

FIM is more an Identity and Access Management (IAM) framework rather than an out-of-the-box (OOTB) solution. With customization invariably required, deployment must be carefully planned according to the solution architected.

What do I think about the stability of the solution?

The latest R2 release is stable and has no significant issues that affect implementation stability with regards to the core components.

What do I think about the scalability of the solution?

The biggest limiting factor is that the sync engine cannot be configured for load balancing or redundancy, followed closely by the through-put limitations that apply to the FIM Service connector (management agent) when dealing with high volumes of objects under synchronization. Nonetheless, FIM has been successfully deployed to manage the entire identity life-cycle for very large sites, such as well over one million staff/student identities under management for the Queensland Education Department in Australia.
Also, when the "declarative" sync rules requiring "expected rule entries" (EREs) are employed, the sync overhead is further exacerbated. As such this type of sync approach should be avoided in lieu of a code-based rules extension or the "scoped" sync rule capability released with R2.

How are customer service and technical support?

Customer Service:

High, depending on availability. Support is available by subscription to the "Microsoft Premier Support Service" (PSS) and/or third party solution support. In complex scenarios where skilled technicians are required, some delays (while generally minimal) may be experienced in getting a full resolution. A managed service arrangement might be worth considering through a third party such as UNIFY Solutions to mitigate the need for this in most cases.

Technical Support:

High, depending on availability. There is often a dependency on skilled resources that need to be accessed from outside the immediate PSS group.

Which solution did I use previously and why did I switch?

No. Only earlier versions of FIM which are now mostly end-of-life.

How was the initial setup?

Generally complex in terms of number of components required, number of deployment steps required, and time generally taken with some of those steps.

What about the implementation team?

We implemented it in-house.

What was our ROI?

The knowledge gained to perform more implementations for other clients, and the potential to leverage our own complementary products and services.

Which other solutions did I evaluate?

Yes - Novell, Sun (now obsolete) and Oracle.

What other advice do I have?

Be prepared to consider the total cost of ownership (TCO) of a FIM (or any IAM) solution when assessing its comparatively cheaper price-tag over the mainstream alternatives. Be sure to include training and resource development costs are covered in your budget, along with any ongoing "level three" type dependency on specialist resources to maintain and extend the solution once in Production. These costs may be minimized and service delivery/reliability optimised by leveraging a reputable managed service option such as the one available through UNIFY Solutions.

Which version of this solution are you currently using?

FIM2010 R2
**Disclosure: My company has a business relationship with this vendor other than being a customer: Microsoft Gold Identity and Access Microsoft Gold Application Development Microsoft Gold Data Platform Microsoft Gold Intelligent Systems
More Microsoft Bhold Forefront Identity Manager [EOL] reviews from users
Find out what your peers are saying about Microsoft, SailPoint, Oracle and others in User Provisioning Software. Updated: July 2021.
523,742 professionals have used our research since 2012.
Add a Comment
ITCS user