Share via

Working with Identity Manager Hybrid Reports

  • Article

 

The latest version of Identity Manager 2016 enables you to view identity and access management (IAM) activity related reports in a unified location. Azure Active Directory and Microsoft Identity Manager reporting activity can be viewed in the Azure AD portal under Reports > Activity Logs. Now you can see a consolidated list of IAM activities in the Azure Active Directory portal. In addition, because Azure AD is in the cloud, it’s super-agile and easy to update, meaning that you’ll get new reports as they are developed and you won’t have to wait for the next major Microsoft Identity Manager release.

Another great advantage of the hybrid reporting console is that it exports all the events to the Windows Event log. These events can then be easily forwarded to your Security Information Event System (SIEM), so it’s easier to get an aggregated picture of the security across your systems.

Available hybrid reports

The first three Microsoft Identity Manager reports available in Azure AD are Password reset activity, Password reset registration and Self-service groups activity.

  • Password reset activity displays each instance when a user performed password reset using the SSPR and provides the gates or Methods used for authentication.

  • Password reset registration displays each time a user registers for the SSPR and the Methods used to authenticate, for example a mobile phone number or questions and answers. Note that for Password reset registration, no differentiation is made between SMS gate and MFA gate – both are considered Mobile Phone.

  • Self-service groups activity displays each attempt made by someone to add themselves to or delete themselves from a group and group creation or removal.

    MIM Hybrid Reporting Password Reset

Note

The reports currently present data for up to one month back.

If you want to uninstall hybrid reports, uninstall the MIMreportingAgent.msi agent.

Prerequisites

  1. Install Microsoft Identity Manager 2016 including the MIM service.

  2. Make sure you have an Azure AD Premium tenant with a licensed administrator in your directory.

  3. Make sure you have outgoing Internet connectivity from the Microsoft Identity Manager server to Azure.

Installing Identity Manager Reporting in Azure AD

After the reporting agent is installed, the data from Identity Manager activity is exported from Identity Manager to windows event log. The Identity Manager reporting agent processes the events, and uploads to Azure. In Azure, the events are parsed, decrypted, and filtered for the required reports.

  1. Install Microsoft Identity Manager 2016.

  2. Download the Microsoft Identity Manager reporting agents:

    1. Log into the Azure AD management portal and click on the Active Directory icon.

    2. Double click on the directory for which you are a Global Administrator and you have an Azure AD Premium subscription.

    3. Click Configuration and download the reporting agent.

  3. Install the Microsoft Identity Manager reporting agent:

    1. Create a directory on the computer.

    2. Extract the files MIMHybridReportingAgent.msi and tenant.cert into the directory.

    3. Run the agent installer.

    4. Make sure that the Microsoft Identity Manager reporting agent service is running

    5. Restart the Identity Manager Service.

  4. Validate that Microsoft Identity Manager Reporting is working in Azure.

    You can create report data by using the Microsoft Identity Manager Self Service Password Reset Portal to reset a user’s password. Make sure that the password reset completed successfully and then check that the data is displayed in the Azure AD management portal.

Viewing hybrid reports in the Azure management portal

  1. Log into Azure with your global admin account for the tenant.

  2. Click the Active Directory icon.

  3. Select the tenant directory from the list of available directories for your subscription.

  4. Click Reports and then Password Reset Activity.

  5. Make sure you select Identity Manager in the source dropdown.

Warning

It can take up to 4 hours for Microsoft Identity Manager data to appear in Azure AD.

Stop sending Identity Manager events to Azure

If you want to stop uploading reporting data from Identity Manager to Azure Active Directory, you can do this in the configuration file, located in the Identity Manager Service installation folder.

  1. For example, open this file: C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config.

  2. Locate the resourceManagementService node.

  3. Change the true setting to false: <resourceManagementService hybridReportingRequestLoggingEnabled=”true”/>

  4. Save the file and restart the MIM Service.

Windows Events Used for Microsoft Identity Manager Reporting in Azure AD

Events generated by Microsoft Identity Manager are logged in the Windows Event Log, and are visible in the Event Viewer under: Application and Services logs-> Identity Manager Request Log. Each Identity Manager request is exported as an event in the Windows Event Log in JSON structure. This can be exported to your SIEM.

Event type

ID

Event details

Information

4121

FIM event data that includes all the request data.

Information

4137

FIM event 4121 extension, in the case there is too much data for a single event. The header in this event is in the following form: "Request: <GUID> , message <xxx> out of <xxx>