2.7M+ Identities

2.7M+ Identities

In our first seven years we have secured & managed: Over 2.7 million enterprise identities for over a dozen different organizations

Saving an estimated $50M-$79M annually

12-Time MVP

12-Time MVP

From 2007-2019, our founder, David Lundell, received the Microsoft Most Valuable Professional Award

Wrote the Book

Wrote the Book

As pioneers in this ever-evolving field, we took on the formidable task of creating the first comprehensive book on identity management (about Microsoft Forefront Identity Manager 2010 -- now known as MIM) and continue to share vital information about identity management, especially in the Microsoft world.

Let us lock down your digital fortress

We have secured over 2.7 million identities. We can do it for you. Book a free 20 min consultation.

Book Time with an Expert

Latest

Introduction

Featured

For Identity Centered on Microsoft Cloud -- Entra ID

For Identity Centered on Microsoft Cloud – Entra ID

Entra ID – Microsoft is pouring more connections to cloud services and more GRC capabilities into Entra ID.

For Identity Centered on Premise

For Identity Centered on Premise

While support for Microsoft Identity Manager goes away in early 2029 – Many orgs continue to use MIM, especially for those with large on-premises investments that aren’t going away any time soon. Used in conjunction with Entra ID and/or HyperSync and your solution can cover the Cloud and all your GRC needs. We continue to support these orgs helping them keep MIM healthy and planning their transition.

For speedy Identity Management on prem or in the cloud at more efficient price

For speedy Identity Management on prem or in the cloud at more efficient price

HyperSync – A most intriguing option, HyperSync Panel is a high performance identity synchronization engine built on top of the Identity Panel application framework. Used in conjunction with Entra ID and MIM or all on its own, HyperSync and its associated products provide incredible GRC capabilities.

Testimonials

We have worked with many clients and we always like to hear they come out from the cooperation happy and satisfied. Have a look what our clients said about us.

  • David’s knowledge of SQL database systems and Identity Lifetime Manager is spectacular. His performance in envisioning and architecting Identity Management solutions is excellent and well directed. He is a gifted instructor, mentor and communicator. David’s speaking skills inform participant understanding and engagement with the complex technologies he has mastered. He possesses clear forethought regarding client needs. David is always willing to assist, participate in feedback on lessons learned, and step up to lead in new challenges. I highly endorse his work and his professional and personable style.

    Todd Kliewer

    Owner

  • David was able to apply his deep business and marketing acumen to increase the effectiveness and profitability of our Identity practice. David was also able to draw on his detailed technical background to act as leader and mentor to a team of technical individuals while drawing out their unique talents to work together and communicate effectively. David has been able to create a workplace rich in technical excellence which fosters respect and growth amongst the team. It has been a pleasure working with David in the past and I look forward to future chances to collaborate.

    Brad Turner

    Principal Engineering Services Manager at Microsoft

  • David is exactly what you would expect from a known MVP in the FIM community. His vast experience across identity, directory, and [many other] technologies are consistently key factors to the success of any project he is on. It was a pleasure and privilege to work with David on such projects, and would recommend with the utmost confidence.

    Jose Garza

    Premier Field Engineer at Microsoft

From our blog

Read more

Custom Attributes in Entra ID -- Decision Tree

By DavidLundell on October 1, 2025

This article is the eighth in a series about Custom Attributes in Entra ID and will step through the decision tree which I hope will be the definitive guide to which way to store custom data in Entra ID.

  1. Names and aliases
  2. Naming Conventions
  3. Resource Types
  4. Data Types
  5. Lifecycle
  6. Limitations
  7. Use Cases
  8. Decision Tree

  1. Is this custom data intended for Enterprise Applications or Managed Identities (both of which are of the servicePrincipal resource type)?

If “Yes,” then you must use Custom Security Attributes – this is the only way to filter on Applications in Conditional Access Policies

Continue reading

Read more

Custom Attributes in Entra ID -- Use Cases

By DavidLundell on October 1, 2025

This article is the seventh in a series about Custom Attributes in Entra ID and will discuss the use cases of each these approaches. There are seven use cases that have only one solution, three exclusive use cases for Extension Attributes, three exclusive for Custom Security Attributes and one for Directory Extensions.

  1. Names and aliases
  2. Naming Conventions
  3. Resource Types
  4. Data Types
  5. Lifecycle
  6. Limitations
  7. Use Cases
  8. Decision Tree
Use Cases Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes
Visible on Profile Card Y (Exclusive) N N N N
Exchange Dynamic Groups Y (Exclusive) N N N N
Group Dynamic Membership Rule Y Y N N N
Administrative Unit Dynamic Membership rule Y Y N N N
Inbound Cloud Provisioning Y Y N N N
Cloud User App Provisioning Y Y N N N
User App Provisioning Filtering Y Y N N N
On Premise Sync Y Y N N N
Cross Tenant Sync Y Y N N N
Customized Token Claims Y Y N N N**
Entra ID DS Y Y N N N
Graph Filterable Y Y Y N Y
Azure B2C Y Y N N N
External ID Custom User Attributes N Y (Exclusive) N N N
Restricted Access/Sensitive Data N N N N Y (Exclusive)
Conditional Access Filter on Enterprise Applications N N N N Y (Exclusive)
Conditional Access Filter on Devices Y (Exclusive) N N N N
Conditional Access Filter on Users and Groups (via Dynamic Group Membership) Y Y N N N
UI to manage the customizations N/A N* N N Y
Azure ABAC N N N N Y (Exclusive)
Lifecycle Workflows: Scope Filter Y Y N N Y
Lifecycle Workflows: Trigger Attributes N N N N N
Access package assignment Policy Y Y N N N

My default answer: use a Directory Extension unless you can’t!

Read more

Custom Attributes in Entra ID -- Limitations

By DavidLundell on October 1, 2025

This article is the sixth in a series about Custom Attributes in Entra ID and will discuss the Limitations of each these approaches.

  1. Names and aliases
  2. Naming Conventions
  3. Resource Types
  4. Data Types
  5. Lifecycle
  6. Limitations
  7. Use Cases
  8. Decision Tree
Limitation Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes
Needs an App to own it N Y Y N but an App must create it N
Values Per Resource 15 100 100 2 kb of data 50
Per App N/A 5 definitions 2 extensions N/A
Per Tenant 15 Infinte Infinte Infinte 500
Schema can be shared Built in to every tenant If other tenants install your mult-tenant app Discoverable Globally N N
Can exist on Synced User Y Y Y Y Y
Must Manage on Prem for Synced User Y N* N N N

*No, except for Directory extensions from the “Tenant Schema Extension App” used by Entra ID Connect Sync and Cloud Sync.

Continue reading

Read more

Custom Attributes in Entra ID -- Lifecycle

By DavidLundell on September 27, 2025

This article is the fifth in a series about Custom Attributes in Entra ID and will discuss the Lifecycle of each of these approaches.

  1. Names and aliases
  2. Naming Conventions
  3. Resource Types
  4. Data Types
  5. Lifecycle
  6. Limitations
  7. Use Cases
  8. Decision Tree
Lifecycle Question Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes
Has Lifecycle States? No(always there) No(there and not there) Yes (InDevelopment, Available, Deprecated) No(never there) Yes(Active,Deactivated)
Can other apps in the same tenant discover the extensions definitions? Yes (same in every tenant) Yes Yes No defintions to discover Only with the Attribute Definition roles
Can other apps in same Tenant read the data (If app has read permissions to the resource)? Yes Yes Yes Yes Only with Attribute Assignment Roles
Can other apps in same Tenant write the data (If app has write permissions to the resource)? Yes Yes Yes Yes Only with Attribute Assignment Roles
Can defintions be shared with or discovered by other tenants? They already are If app is Multi-Tenant and gets installed Once the Schema Extension is in Available State No No
Can the extension be deleted? No Yes Only when in the InDevelopment State N/A (there are no definitions) No
Can be deactivated or deprecated? No No Yes (deprecated) No Yes (deactivated)
Deletion of owning App
What happens to the definitions? N/A Deletes the Extensions Definition Not deleted  but no longer updateable Deleting the Creator app has no impact N/A
What happens to the definitions in other tenants? N/A Nothing – other tenants could not update the definitions anyhow Nothing – other tenants could not update the definitions anyhow N/A N/A
What happens to the data? N/A Makes it undiscoverable All properties and values are still discoverable Deleting the Creator app has no impact N/A
What happens to the data in other tenants? N/A None None N/A N/A
Can the extension be deleted? N/A Yes Only when in the InDevelopment State N/A (there are no definitions) No
What happens to the definitions? N/A Deletes the Extensions Definition Definition deleted and undiscoverable[[1]](#_msocom_1) N/A N/A
What happens to the definitions in other tenants? N/A Nothing – other tenants could not update the definitions anyhow N/A (can’t delete when shared) N/A N/A
What happens to the data? N/A Makes it undiscoverable Makes it undiscoverable N/A N/A
What happens to the data in other tenants? N/A Nothing N/A (can’t delete when shared) N/A N/A
Can the extension be deactivated or deprecated? No No Yes (deprecated) extension can no longer be read or modified No Yes (deactivated) Can no longer be applied
Effect on other tenants? N/A N/A extension can no longer be read or modified N/A N/A
What happens to the data when the Extension is deprecated or deactivated? N/A N/A Can read, update and delete existing property values N/A *Data is preserved * Can no longer be applied to resources
Effect on other tenants? N/A N/A Can read, update and delete existing property values N/A N/A
Data in Undiscoverable/Deactivated count against limits N/A Yes Probably N/A Yes

Continue reading

Update cookies preferences