A month into a Microsoft Identity Manager implementation and hitting gaps is a familiar experience. MIM is a powerful product in heavily Microsoft-integrated environments — it handles complex on-premises Active Directory scenarios, supports custom code for legacy applications, and has a mature set of built-in workflows for organizations that are willing to invest in configuration. The practitioners in this thread who know it well are clear: it works, but it takes real engineering investment to get it working for anything outside the standard Microsoft stack.

The question of whether to keep going with MIM or find an alternative depends almost entirely on what the gaps are. If the gaps are integration-specific — custom or legacy applications that need code — that's a known MIM characteristic, not a fundamental limitation. If the gaps are around SaaS governance, disconnected app management, or modern access review requirements, those are areas where MIM wasn't designed to compete and where the market has moved substantially in the last decade.

Why MIM Works Well in Some Environments and Struggles in Others

The honest practitioner assessment of MIM: it works in heavy Microsoft environments where most of the identity infrastructure is on-prem Active Directory, Exchange, and Office 365. The built-in connectors cover Microsoft's own products well. For legacy applications and anything custom, you're writing code — which is a real investment but not impossible if you have the engineering resources.

The architectural challenge is that MIM is fundamentally an on-premises synchronization engine. Its design philosophy — synchronizing identity data between connected systems using rules and code — made sense when most enterprise infrastructure was on-premises and the identity landscape was relatively stable. In an environment where SaaS adoption is continuous, employees use dozens of tools that change regularly, and governance requirements now include access reviews and compliance reporting across the full application stack, MIM's architecture requires significant extension to cover what modern platforms handle out of the box.

One practitioner in this thread offered a useful framing: any identity management tool should be looked at as only part of a larger service, and it should work well with MFA and SIEM systems. That's still true, and worth keeping in mind when evaluating any replacement — the platform needs to fit into your security stack, not replace it entirely.

The Current Market: Where Each Platform Fits

Core IAM and SSO (the authentication layer). If your primary gap is authentication and basic provisioning, Okta, Microsoft Entra ID, JumpCloud, and OneLogin cover the SSO and directory layer. Entra ID is the natural replacement direction for MIM in Microsoft-centric environments — Microsoft's own migration path runs from MIM toward Entra ID Governance and Lifecycle Workflows for most joiner-mover-leaver automation. The limitation practitioners note is that Entra ID Governance, while improving rapidly, is still maturing relative to dedicated IGA platforms for complex governance scenarios.

Enterprise IGA (large, complex environments). For organizations in the 10,000+ employee range with complex on-prem requirements, SailPoint (IdentityNow for cloud, IIQ for on-prem) and Saviynt are the established enterprise-grade options. These platforms handle the depth of configuration that large organizations require, but come with corresponding implementation complexity and cost. If the criticism of MIM is that it's complex to implement, SailPoint IIQ at enterprise scale is in the same neighborhood.

Modern mid-market IGA platforms. For mid-sized organizations that need modern SaaS governance, access reviews, and JML automation without the implementation overhead of enterprise IGA, a newer generation of platforms has emerged: Zluri, ConductorOne, Lumos, and Zilla Security among others. These platforms are generally cloud-native, faster to deploy, and focused on SaaS and hybrid environments rather than primarily on-prem Active Directory. The tradeoff is less depth for very complex on-prem scenarios.

Adaxes (mentioned in the original thread) remains a viable option for organizations that want AD-focused lifecycle automation with customizable web interfaces, approval workflows, and RBAC without the full complexity of a modern IGA platform. If the gap is specifically around AD user lifecycle automation and the environment is primarily on-prem, Adaxes is worth evaluating.

What's Changed Since MIM Was the Standard Answer

The identity management landscape has shifted substantially in the direction of SaaS-first architectures. Several capabilities that require significant customization in MIM are now handled out of the box by modern platforms:

HRMS as source of truth. Connecting an HR system like Workday, BambooHR, or Personio as the authoritative trigger for the joiner-mover-leaver lifecycle — so that new hires, role changes, and terminations in HR automatically drive identity changes downstream — is a core feature of modern IGA platforms rather than a custom integration project. In MIM, connecting to an HRMS typically requires building a custom management agent.

Disconnected and non-API application support. MIM requires custom code for legacy applications without connectors. Modern platforms extend this with AI-powered browser automation that can interact with application admin UIs programmatically, HTTP Request actions for applications with basic REST endpoints but no SCIM support, and governed manual task routing for applications with no automation path at all.

Access reviews and compliance reporting. Automated access certification campaigns with reviewer dashboards, mandatory justification capture, and timestamped non-editable audit reports are native features of modern IGA platforms. Producing this in MIM requires additional tooling or significant custom development.

SaaS discovery and shadow IT. Modern platforms discover what applications employees are actually using through SSO logs, financial system integrations, and browser agents — including tools that were never formally provisioned. This visibility is foundational for both access reviews and offboarding completeness.

How to Evaluate Whether to Continue With MIM or Replace It

The evaluation question isn't just "is there a better tool" — it's whether the investment remaining in MIM implementation will deliver what you need, or whether the same investment in a different platform would get you further faster.

Useful questions to answer before deciding:

What are the specific gaps after a month of implementation? If they're integration-specific (legacy apps needing custom connectors), that's within MIM's normal scope but requires engineering time. If they're architectural (SaaS governance, access reviews, disconnected app management), those gaps don't close with more MIM configuration — they require either additional tools or a different platform.

What does your environment actually look like? MIM is strongest in heavily on-prem Microsoft environments. If you're running a hybrid or cloud-first SaaS stack, the platform mismatch may be the source of the gaps rather than implementation maturity.

What is the governance scope? If access reviews, SOC 2 compliance reporting, and shadow IT management are requirements, evaluate how each platform handles those specifically — not based on general capability claims, but with your actual application list and compliance requirements in hand.

Frequently Asked Questions

What is Microsoft Identity Manager and what are its main limitations?

Microsoft Identity Manager (MIM) is an on-premises identity synchronization and lifecycle management platform that works well in heavily Microsoft-integrated environments with Active Directory, Exchange, and Office 365. Its main limitations in modern environments are the engineering investment required for custom and legacy app integrations, limited out-of-the-box SaaS governance capabilities, and the absence of native access review and compliance reporting features that modern IGA platforms include. Microsoft's own direction is toward Entra ID Governance as the cloud-based successor.

What is the modern replacement for Microsoft Identity Manager?

For Microsoft-centric environments migrating to the cloud, Entra ID Governance and Lifecycle Workflows are Microsoft's own successor path from MIM. For organizations that want broader SaaS governance beyond the Microsoft ecosystem, modern mid-market IGA platforms like Zluri handle the JML lifecycle, access reviews, and disconnected application management that MIM requires custom development to address. For large enterprises with complex on-prem requirements, SailPoint and Saviynt are the established enterprise IGA alternatives.

What are the gaps in Microsoft Identity Manager for modern SaaS environments?

MIM was designed for on-premises AD-centric environments and predates the SaaS-first architecture most organizations run today. Key gaps for modern environments include: limited out-of-the-box connectors for SaaS applications (each requires custom management agent development), no native access review or certification campaign features, no SaaS discovery for shadow IT, and no direct HRMS integration without custom code. These gaps are solvable with engineering investment but require significant ongoing maintenance.

Is there a good open-source alternative to Microsoft Identity Manager?

Open-source identity management tools like midPoint (Evolveum) cover much of the same provisioning and synchronization use cases as MIM with an active community and commercial support options. The challenge noted by practitioners with open-source IGA tools historically is that they scale poorly and are difficult to support over time as requirements grow. For organizations with dedicated IAM engineering resources, midPoint is a genuine option; for organizations that need faster time-to-value and lower maintenance overhead, a SaaS IGA platform is typically the better tradeoff.