Microsoft MIM to midPoint Migration

Mainstream support for Microsoft Identity Manager (MIM) ends April 2026.
Plan your migration to modern, open-source identity governance with We Know Identity.

Discuss Your MIM Migration
Learn About Our Approach

Specialist Partner
Evolveum midPoint certified implementation and architecture
Migration Experience
Proven methodology for large-scale identity system migrations
European Delivery
On-site and remote teams in EU timezone, GDPR-compliant operations
Open Source Expertise
Deep knowledge of sustainable, transparent identity systems

The Situation: MIM EOL and Your Options

Microsoft Identity Manager (MIM) 2016 reached mainstream support end-of-life on April 14, 2026.
Extended support continues until January 9, 2029, but the clock is ticking. Organizations relying on MIM for identity lifecycle automation,
governance, and compliance now face an urgent decision: plan migration or incur growing support risk and operational liability.

Critical Risks of Remaining on MIM

  • No new security patches or feature updates after mainstream EOL; extended support provides only critical fixes
  • Compliance exposure: auditors and security teams will flag unsupported identity infrastructure
  • Integration complexity: MIM connectors become harder to maintain as external systems modernize
  • Limited vendor ecosystem: fewer partners willing to support or develop for MIM
  • Higher operational cost: legacy platforms require more workarounds and manual administration
  • Talent drain: infrastructure and IAM talent increasingly avoid legacy systems

Why Migrate Now?

Waiting until extended support ends in 2029 increases technical debt and migration risk. Organizations that migrate now gain:

  • Time to execute properly: a 2-3 year runway allows phased rollout, comprehensive testing, and team training
  • Operational stability: parallel runs and gradual cutover reduce business disruption
  • Cost efficiency: phased migration spreads capital and operational expense, avoids emergency burnout
  • Technology advantage: modern identity platforms are better integrated with cloud, APIs, and modern HR/business systems
  • Governance strength: newer IAM platforms excel at role management, compliance automation, and user lifecycle

Why midPoint?

midPoint is a modern, enterprise-grade identity and access management (IAM) and identity governance (IGA) platform
built specifically for complex identity infrastructure. For organizations migrating from MIM, midPoint offers compelling advantages.

1. Open Source + Enterprise Stability

midPoint is open-source but production-hardened by Evolveum and deployed at scale globally.
You avoid Microsoft vendor lock-in while retaining commercial support, SLAs, and professional development.

2. No Per-User Licensing

midPoint is licensed per deployment, not per identity. Scale to thousands of users without exponential cost growth.
Particularly advantageous for large enterprises with dynamic user populations.

3. Active, Transparent Development

Evolveum releases regular feature updates, security patches, and community-driven improvements.
You’re not waiting for a vendor roadmap; you have influence over platform direction.

4. Powerful Connector Framework

midPoint’s connector architecture is cleaner and more flexible than MIM’s.
Custom connector development is faster and more maintainable; many standard systems (AD, LDAP, databases, APIs, HR)
have first-class support.

5. Governance + Compliance Automation

midPoint includes sophisticated role engineering, access reviews, segregation of duties (SoD) management,
and compliance workflows. These capabilities are deeply integrated, not bolted-on.

6. Migration Tooling + Experience

Evolveum and its partner ecosystem have built proven migration patterns from MIM, SAP IDM, One Identity, and custom legacy systems.
Parallel runs, data mapping, and cutover support are standard practice.

What a MIM-to-midPoint Migration Involves

Migration scope depends on your current MIM deployment complexity, connector count, customization depth, and operational requirements.
We assess and plan every engagement individually. Below is what a typical enterprise migration encompasses.

Core Migration Components

  • Environment assessment: audit current MIM connectors, policies, rules, metaverse design, and custom code
  • Connector mapping and rebuild: evaluate each MIM connector; rebuild in midPoint or select midPoint native equivalents
  • Policy and rule migration: extract MIM synchronization rules, MPR rules, and workflow logic; redesign for midPoint object templates and mappings
  • Workflow recreation: migrate MIM workflow definitions to midPoint request workflows and approval automation
  • User provisioning logic: translate account creation, modification, and deprovisioning flows to midPoint provisioning patterns
  • Governance model redesign: map RBAC, role hierarchies, SoD constraints to midPoint role definitions and policy rules
  • Data migration and reconciliation: plan identity data migration with validation, reconciliation, and rollback procedures
  • Testing and UAT: parallel environment testing, reconciliation testing, cutover readiness validation
  • Cutover planning and execution: phased or big-bang cutover strategy, with fallback procedures
  • Operations handover: training, runbook documentation, post-go-live support ramp

Typical Scope Boundaries

In scope (generally included): midPoint platform deployment, connector engineering, identity data migration,
governance policy redesign, UAT, and 30–90 days of post-go-live stabilization support.

Typically separate engagement or ongoing: custom application integration beyond standard connectors,
advanced analytics/reporting layer, long-term managed services or advisory retainers, extensive organization change management or end-user training.

We develop a detailed statement of work (SOW) during the assessment phase to clarify scope, timeline, effort, and cost.

Our MIM-to-midPoint Migration Methodology

We follow a proven five-phase approach that balances speed, risk control, and operational quality.
Each phase includes deliverables, validation gates, and clear handoff criteria. View our full implementation methodology.

1

Assessment

Document current MIM environment, identify dependencies, audit connector landscape,
evaluate complexity, and estimate migration effort and risk.

2

Architecture & Design

Design target midPoint platform (deployment, sizing, HA/DR).
Map MIM connectors to midPoint. Design identity and access governance model.
Plan data migration and reconciliation.

3

Build & Integration

Deploy and configure midPoint. Engineer and test connectors.
Implement identity data migration. Build and test workflows, policies, and governance rules.

4

UAT & Testing

Execute comprehensive user acceptance testing.
Run parallel environments; validate data accuracy and reconciliation.
Verify cutover readiness.

5

Go-Live & Handover

Execute cutover plan. Monitor system during transition.
Provide stabilization support. Deliver operations documentation and training.

Key Principles

  • Phased approach: prioritize critical services first; migrate in waves to distribute risk and effort
  • Parallel validation: run MIM and midPoint in parallel during UAT; reconcile identity data continuously
  • Rollback planning: every phase includes fallback procedures; cutover includes immediate rollback capability
  • Stakeholder alignment: frequent communication with business owners, IT operations, and security teams
  • Knowledge transfer: hands-on training and documentation ensure your team owns the platform post-go-live

Frequently Asked Questions

How long does a MIM-to-midPoint migration typically take?

Timeline depends on complexity, connector count, customization depth, and organizational readiness.
A typical enterprise migration ranges from 6 months to 18 months from assessment to full cutover and stabilization.

Simple, well-scoped migrations with 3–5 connectors may take 4–6 months.
Complex deployments with 20+ connectors, extensive custom code, and high data volume may take 12–18 months.

We provide detailed timeline estimates during the assessment phase, with phased milestones and risk factors called out.

Can we run MIM and midPoint in parallel during migration?

Yes, absolutely. Parallel operation is the standard approach for large, mission-critical migrations.

We typically run both systems in parallel for UAT and early production cutover. This approach:

  • Allows continuous reconciliation and data validation
  • Reduces cutover risk; you can rollback if needed
  • Gives your team confidence in the new system before full migration
  • Supports phased service migration, connector by connector

Parallel operation adds infrastructure cost and operational overhead but is well worth the risk reduction and confidence gain.

Will our current MIM connectors work in midPoint?

Not directly. midPoint has a different connector architecture than MIM. However, we have multiple paths forward:

  • Native midPoint connectors: Many standard systems (Active Directory, LDAP, SQL databases, APIs, HR systems) have first-class connector support in midPoint
  • Custom connector development: We engineer connectors for proprietary or complex systems using midPoint’s connector framework
  • Hybrid approach: Use native connectors where available; engineer custom connectors for unique systems

We assess your current connector landscape during the assessment phase and recommend the most efficient rebuild strategy.

What happens to our identity data during migration?

Identity data migration is planned and validated carefully to ensure zero loss and data integrity.

Our typical approach:

  • Extract and map identity data from MIM metaverse and repositories
  • Load into midPoint using bulk import tools or APIs
  • Reconcile data against source systems and MIM baseline
  • Validate key metrics: user count, account status, group membership, role assignments
  • Run reconciliation reports pre- and post-cutover to confirm integrity

You maintain full visibility and control. Data migration is tested in non-production environments first.

Do we need to replace our entire infrastructure, or can we reuse existing servers?

You have deployment flexibility. midPoint can run on your existing infrastructure if it meets performance and security requirements.

Deployment options include:

  • On-premises VMs: Deploy on ESXi, Hyper-V, or KVM; reuse existing virtualization infrastructure
  • Physical servers: Supported, though less common in modern environments
  • Cloud IaaS: AWS EC2, Azure VMs, or other cloud providers
  • Kubernetes / containers: Deploy midPoint in containerized environments for modern DevOps practices

We assess your current infrastructure during the design phase and recommend the deployment model that best suits your environment and future roadmap.

What about governance and compliance features? Does midPoint replace MIM’s workflow and approval capabilities?

Yes, and often exceeds them. midPoint includes sophisticated governance, approval, and compliance automation:

  • Request workflows: Multi-step approval processes for access requests, role assignments, and account modifications
  • Role engineering: Flexible role hierarchies, role catalogs, and automated role assignment
  • Segregation of duties (SoD): Conflict detection and prevention at access grant time
  • Access reviews: Scheduled, data-driven reviews of user access with built-in approval workflows
  • Joiner/mover/leaver automation: Full identity lifecycle tied to HR events (hiring, transfers, termination)

midPoint governance is more modern and more granular than MIM’s workflow engine. You’ll likely find it easier to model complex business rules and approval hierarchies.

How much will the migration cost?

Cost depends on scope, complexity, timeline, and staffing model. We provide a detailed cost estimate during the assessment phase.

Budget typically includes:

  • Professional services (assessment, design, engineering, UAT, go-live)
  • midPoint licensing (typically per-deployment, not per-user)
  • Infrastructure (servers, databases, or cloud resources)
  • Training and knowledge transfer
  • Post-go-live support and stabilization

Many organizations find that midPoint’s per-deployment licensing model yields lower TCO than MIM’s per-user model, especially as user populations scale.

What training and support do we get after go-live?

Knowledge transfer and ongoing support are critical to successful migration. We include:

  • Hands-on training: Operations team training on deployment, configuration, troubleshooting, and day-to-day management
  • Documentation: Architecture guides, runbooks, deployment procedures, and emergency procedures
  • Stabilization support: Typically 30–90 days of post-go-live support to address issues and optimize performance
  • Ongoing advisory: Many clients continue advisory or retainer relationships for governance questions, major configuration changes, or technology roadmap decisions

Your team owns and operates the platform; we ensure you have the knowledge and tools to do so confidently.

What is your experience with SAP IDM, One Identity, or other legacy IAM migrations?

We have experience migrating from multiple legacy IAM platforms including SAP IDM, Microsoft MIM, One Identity Directory,
IBM Identity Manager, and custom in-house systems. The patterns are similar across platforms:

  • Audit and document the existing platform
  • Redesign identity and governance models for modern architecture
  • Engineer connectors for the target system landscape
  • Validate data migration and reconciliation
  • Execute phased or parallel cutover

Each migration is unique, but lessons learned across multiple engagements strengthen our approach and reduce risk.

Can We Know Identity support us on an ongoing basis after migration?

Yes. We offer several post-migration engagement models:

  • Advisory retainer: Ongoing strategic and architectural guidance on midPoint governance and roadmap
  • Support and SLA: Dedicated support with defined SLAs for critical issues
  • Managed services: We can manage operational aspects of the midPoint deployment (patching, upgrades, backups, monitoring)
  • Project-based engagements: Major features, integrations, or system enhancements as the business demands

We work with each client to define the right support model based on organizational maturity, team size, and business complexity.

Start Your MIM Migration Planning Today

Don’t wait until extended support ends. A structured assessment and migration plan
puts you in control of your identity infrastructure timeline and cost.


Book a Migration Assessment

We’ll evaluate your current MIM environment, outline migration approach, and discuss timeline and investment.

For Decision-Makers

Microsoft Identity Manager reached mainstream end-of-life in April 2026. Every month your organization remains on MIM increases security exposure, compliance risk, and the eventual cost of migration. A structured migration to midPoint typically takes 6–18 months — meaning the window for a controlled, phased transition is narrowing. We plan and execute MIM-to-midPoint migrations with parallel operation, connector-by-connector cutover, and zero-downtime handoff — replacing per-user licensing with an open-source platform your team owns completely.