Implementing Privileged Access Management on Server 2016/2019: Part 3 – Deploying the MIM/PAM Server

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

Implementing Privileged Access Management on Server 2016/2019: Part 2 – Installing and Configuring SharePoint Server 2016 for Microsoft identity Manager

In part three of this blog series, I will go through the steps to deploy the MIM/PAM server to host the MIM Synchronization Service and Portal.

*As I am using a lab environment I have chosen to install MIM, SQL and SharePoint on the same server but in production they would need to be planned and scaled out correctly.


Server Configuration

First install the required Windows features by running the following PowerShell commands:

## Install Prereqs

import-module ServerManager

Install-WindowsFeature Web-WebServer, Net-Framework-Features,rsat-ad-powershell,Web-Mgmt-Tools,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer –includeallsubfeature

Once the features are installed successfully, we need to define the local security policy. To do this open the Local Security Policy (secpol.exe) and make the following changes:

In the policy Local Policies > User Rights Assignment > Log on as a service

Add priv\MIMonitor, priv\MIMService, priv\SharePoint, priv\MIMComponent and priv\SQLServer

In the policy Local Policies > User Rights Assignment > Deny access to this computer from the network

Add priv\mimmonitor, priv\MIMService and priv\mimcomponent

In the policy Local Policies > User Rights Assignment > Deny log on locally

Add priv\mimmonitor, priv\MIMService and priv\mimcomponent

Configure local security policy and local admins

Close the local security policy window and open “Computer Management”. Navigate to “Local Users and Groups -> Groups -> Administrators”  and add priv\MIMAdmin and priv\SharePoint as local admins on the server.



IIS Config

To configure IIS for Windows Authentication, run the below PowerShell commands:

iisreset /STOP

C:\Windows\System32\inetsrv\appcmd.exe unlock config /section:windowsAuthentication -commit:apphost

iisreset /START


Installing the Synchronization Service

Mount the MIM 2016 ISO and run the “FIMSplash.htm” page in the root folder to open the splash page.


Follow through the wizard, accepting the terms and conditions and specify your SQL instance. In my lab I am using a local default SQL instance


Specify your MIMSync service account details


Update the group names to be created if you like


On the next page you can allow the installer to open the required firewall ports on the server for you


Finally click install and wait for the synchronization service to finish installing. At the end you will be prompted to save the encryption key locally. Save this key and keep it safe.

When the install completes click finish and you will be prompted to log off the server to update group membership.



Install MIM Service and Portal

After logging back on to the server, open up “FIMSplash.htm” again and this time run the “Service and Portal” installer.


Follow through the Wizard, accepting the license terms and opting in or out of the Customer Experience Program until you get to the Custom Setup page. At this page, select the options to install the MIM Service, Privileged Access Management and MIM Portal Roles and click next.


Select the SQL settings and click next. Again, in my lab I am using a local SQL instance.


Select a mail server to use, you can also optionally use Exchange Online or if there is no Exchange server in place enter “localhost” as the server name and deselect the top two options.


Create a new self-signed cert or use an existing certificate.


Enter the service account details for the MIMService.


Enter the details of the synchronization service.


Enter the name of the local server for the MIM Service Server Address.


Enter the name of the SharePoint Site Collection we created in part 2 of this blog to host the MIM Portal.


We are not using the Password Registration Portal so leave the next page blank.


Check the boxes to open the appropriate firewall ports and to allow authenticated users to access the MIM Portal site.


Leave the REST API Hostname blank and set the port to 8086.


Enter the account details of the SharePoint service account for the PAM REST API.


Enter the MIMComponent service account details for the PAM Component Service.


Enter the MIMMonitor service account details for the PAM Monitoring Service.


If you are using the other components on another server enter the details here, if not, click next.


Finally, click Install


When the installer finishes, reboot the system and log back on. Browse to your MIM Portal URL configured in Part 2 and you should see the MIM Portal page has been configured successfully.



Now the MAM Portal and Service are successfully installed. In the next and final post in this series, I will finalize and test the PAM configuration!


Exchange Server 2019 Preview

Last week Microsoft announced the release of Exchange Server 2019 – Preview. This is the first version of Exchange to be compatible with Windows Server Core. Other new features include a revamped search service leveraging Bing search and improvements to the Exchange Online Hybrid functionality along with further performance optimizations to the database engine. Updates to the Outlook web client will also bring the user experience more in line with the current Exchange Online offering.

The Preview is available to download here  and I will be posting an install demo here in the next couple of days.


New Blog Site!

I’ve tried keeping up blogs in the past but always had a hard time keeping up with posts. Now it’s time to start fresh and stick to it! This blog is focused around Microsoft 365 and the Modern Workplace. I am hoping to update regularly with new feature analysis, tutorials and interesting findings I make day to day working with this ever changing suite of products.

beach clouds dawn dusk