Looming threat from AD Connect and Office 365
Our brilliant NetIQ Identity Manager set up (and single sign-on via NetIQ Access Manager) seem under increasing threat from AD Connect and Office 365. We populate Office 365 using the Identity Manager Office 365 driver but since someone decided to deploy Exchange in hybrid mode (for staff email) AD Connect has been deployed because Microsoft would not support any other "Identity Manager" solution. Another team looks after AD Connect and they have no real interest in the broader Identity Management strategy and have made a number of mistakes. Furthermore another company has turned up (third space) suggesting we make Azure AD our main identity provider! Our single sign-on uses an eDirectory user store carefully managed by Identity Manager; we simply do not need Azure AD. Azure does not even have passwords because the Office 365 domain is federated against our AM so it cannot be used as an identity provider anyway. So now the same company suggest we remove the federation and sync passwords up to AD for over 30000 users (students and staff). All this when the company was brought in to make us more secure from password spray attacks from MS Office 365 - the answer seems to be let them have all your passwords! The next step will be let AD Connect sync students accounts also again not really necessary as student email is exclusively on Office 365 and not Exchange, but someone thinks we can use AD Connect to sync up more attributes from AD (ironic as Identity Manager populates this as well). I try to explain that AD Connect is part of MS Identity Manager and we do not support MS Identity Manage and have no training in it but my words are falling on deaf ears. Everything is "Azure AD this, Azure AD that" or "why not use AD Federated Services".
Does anyone have any advice or experience of this situation?
Unfortunately, I can't say, that this is something unique for your org.
Many C-level managers listening for similar "advice" and make the same "smart" decisions.
Anyway, AD connect is not an Identity Management solution.
It supports the simplest cases of AD users/groups to AAD synchronization and doesn't support any dataflow customization. (for example, absolutely no way to have any customization for direct report-manager references, that was "available" in FIM/MIM).
We had a similar "push" until the moment when the business started to understand limitations and unresolved complexities that can really put the company down.
Agree with everything @al_b has said.
The big picture architects see it as easier and more predictable cost wise.
Our role is to help educate decision makers regarding the benefits of the alternatives.
Neither AAD Connect nor ADFS offer the flexibility that the Micro Focus products do.
Microsoft's solutions (AAD connect and it's cousin MSIDM, FIM, MIIS, or whatever alphabet soup they are serving this week) is a weak IDM solution with a total lack of flexibility. It is a Model-T solution: It comes in any color, as long as it's black. It can sync identity data but it does so on its terms, if you do anything slightly non-standard it will take effort, and possibly .NET developers, to modify it. One fallacy I have heard is that a client wants to go to Microsoft's product because they are an AD shop. But the MS Identity solutions are not based on AD, they are based on MSSQL, AD is just another connected system.
If you don't have customized configurations and a variety of different applications to integrate, you don't need IDM. Because of what I do, I just haven't run into many environments like that.
Oracle's IDM is also very difficult and time consuming to configure, it generally requires Java developers to customize, but it you are patient you may get a working solution. However, in my personal experience, I have seen more of those projects fail than succeed.
My main objection to Sailpoint is that it is an application, not infrastructure. Also, their slew of connectors are mostly text file imports, not live connections. They put a scheduler in place to make it act like it's infrastructure, but in the end it's also a database application to evaluate compliance which has had some provisioning bolted on to it.
I worked for Novell for 18 years and participated in an Alpha DirXML driver development class in 1997. DirXML which became NetIQ IDM started because Novell had a moderately successful product called NDS for NT which pissed off Microsoft royally. It redirected NT authentication transparently to eDirectory. It worked, but MS was working on AD and it had a limited life span. And customers wanted to integrate everything from eMail (GroupWise and Notes in those days) to databases to phone switches. MicroFocus' Identity Solutions were designed from the get-go to integrate disparate systems together.
I just have one more comment for your first sentence.
You can have the best .NET developer (that, in theory, can create specific extension according to business needs), but you will not be able to add this extension/customization to AD Connect.
AD Connect is a "locked down" (simplified) version of FIM/MIM that doesn't support any extension.
But "adjustment" of mapping only ("schema mapping" component in our terminology) from the full set of options in Identity dataflow, without any ability to have transformation/normalization logic, no option for having any business customization/dependencies logic can't be used like Identity Management solution and can't be taken like "customization".
This is a straight copy from point A to point B (only Black and White without halftones, that we have in real life)
The difficulty is also that the people making the decision do not always seem to be the people taking the responsibility after wards.
Working with a customer who is moving to Sailpoint, and we have run into a series of issues that Sailpoint just plain cannot do.
So customer experience is getting worse, more manual work for end users and admins.
But damn the torpedos, we are going Sailpoint, "because".
Since the people who made the call are high level, they often don't want to take the blame, so they hide and push it all down and away. Political issue not technological.