Microsoft Identity Manager Replacement: The Case for Open-Source IGA in European Enterprises

Microsoft Identity Manager has been a workhorse of enterprise identity management for over a decade. It’s deeply embedded in thousands of organizations — connected to Active Directory, SAP, HR systems, and dozens of custom applications, running synchronization rules and workflows that nobody fully remembers writing. And it’s reaching the end of its road.

Microsoft extended MIM 2016 support to January 9, 2029 for Entra ID Premium customers. But the writing has been on the wall for much longer: Microsoft stopped actively developing MIM in 2021, shifting its focus entirely to Entra ID. The product hasn’t received meaningful feature investment in years. It reflects its age — complex to install, difficult to maintain, and increasingly misaligned with modern identity governance standards.

If your organization is running MIM today, the question isn’t whether you’ll need to migrate. It’s whether you’ll do it on your terms or under pressure.

The Microsoft Migration Path — And Why It Doesn’t Work for Everyone

Microsoft’s recommended successor is Entra ID Governance — a cloud-native platform that moves your identity governance entirely into the Microsoft cloud. For organizations deeply invested in the Microsoft ecosystem with straightforward identity requirements, this path has obvious appeal: tight integration, reduced infrastructure overhead, automatic updates.

But Entra ID Governance is not a like-for-like replacement for MIM. The differences matter:

Architecture. MIM runs on-premises, giving you full control over identity data, synchronization logic, and connectivity to target systems. Entra ID is cloud-first. For hybrid environments — which is most enterprises — this means managing identity synchronization across on-prem and cloud boundaries, with all the complexity that entails: forest/domain synchronization issues, custom attributes that don’t cleanly map to cloud directories, and firewalls that impede cloud-to-ground communication.

Customization. If your organization has spent years building custom workflows, approval processes, and business rules in MIM, you’ll find that Entra ID doesn’t offer the same level of flexibility. It’s designed to work optimally within a Microsoft environment. If your business processes don’t align with that approach, you’ll need to either change your processes or build workarounds — both of which add time, cost, and risk.

Sovereignty. This is where the conversation gets particularly relevant for European enterprises. Moving your identity governance platform — the system that controls who can access what across your entire digital estate — into a US-headquartered cloud raises questions that regulators and auditors are increasingly asking. Under NIS2, DORA, and national KRITIS regulations, organizations must demonstrate control over critical ICT systems and their data. Pointing at a Microsoft compliance attestation is not the same as pointing at infrastructure you physically control.

Cost. Per-user pricing models look straightforward during initial evaluation. At enterprise scale, they rarely stay that way. Premium features, additional connectors for non-Microsoft systems, custom development requirements, and licensing fees compound over time. Organizations regularly report that total cost of ownership for cloud IGA significantly exceeds initial projections — especially when your identity landscape extends beyond the Microsoft ecosystem.

The Open-Source Alternative: midPoint

For organizations where Entra ID isn’t the right fit — whether due to sovereignty requirements, hybrid complexity, customization needs, or cost — there’s a mature, production-proven alternative.

midPoint is an open-source identity governance and administration (IGA) platform developed by Evolveum, a European company based in Slovakia. It’s recognized by Gartner in the IGA category, licensed under the European Union Public License (EUPL), and deployed across enterprises in financial services, telecom, healthcare, higher education, and public sector.

MIM is primarily an identity provisioning engine. midPoint is a complete IGA platform. The difference matters:

• Identity lifecycle management — automated onboarding, role changes, offboarding, triggered by HR events or manual workflows
• Role-based access control (RBAC) — with support for organizational roles, application roles, business roles, and complex role hierarchies
• Access certification — periodic reviews of who has access to what, with approval workflows and evidence trails
• Policy enforcement — segregation of duties, minimum/maximum role constraints, risk-based assignment policies
• Audit trails — complete history of every identity change, access request, and policy decision
• Simulation — evaluate the impact of configuration changes on real data before applying them to production (a feature that generated significant interest at the recent Gartner IAM Summit in London)

If your current MIM deployment is essentially provisioning users to AD and a handful of target systems, you’re replacing like-for-like. If you need actual governance — and under NIS2 and DORA, you increasingly do — midPoint gives you the full stack.

Deployment Flexibility

midPoint runs wherever you need it:

• On-premises in your data center, on infrastructure you control
• In a private cloud within your sovereign cloud environment
• As a managed service through Inalogy’s IAM Factory — a hosted midPoint environment where we handle operations, upgrades, and monitoring

This isn’t a “cloud or nothing” decision. You choose the deployment model that fits your regulatory requirements, technical architecture, and operational preferences. And you can change it later without re-platforming.

Connector Ecosystem

MIM’s connector framework (ECMA2 / Management Agents) has served its purpose, but it’s aging. midPoint uses the ConnId connector framework, which provides:

• Native connectors for LDAP, Active Directory, databases (JDBC), CSV, REST APIs, and SCIM
• A growing catalog of community-built connectors
• AI-assisted connector generation through midPilot, Evolveum’s AI-powered assistant (funded by the EU Recovery and Resilience Plan), which can generate connector code from API documentation

For organizations with extensive MIM connector estates, migration means mapping each Management Agent to a midPoint connector or resource definition. In our experience, this is rarely the bottleneck it appears to be. Most MIM connectors fall into a handful of patterns (LDAP, database, flat file, web service), and midPoint handles all of them natively.

Open Source — Why It Matters for IGA

Being open source isn’t just about licensing costs (though the absence of per-user fees matters at enterprise scale). It’s about three things that are particularly relevant for identity governance:

Transparency. Your security team can inspect every line of code in the platform that controls access to your entire digital estate. No black boxes. No “trust us, it’s secure.” Full auditability.

Independence. You’re not locked into a vendor’s roadmap, pricing decisions, or strategic pivots. If Evolveum changed direction tomorrow, the code base would remain available under EUPL. Your identity infrastructure doesn’t disappear.

Community. midPoint has an active development community, regular releases, and an upcoming 2nd Annual MidPoint Community Meetup in Prague (May 12-15, 2026) where users, partners, and the product team collaborate on the platform’s direction.

How We Migrate: A Practical Framework

At Inalogy, we’ve migrated organizations from MIM (and other legacy platforms) to midPoint across Central and Western Europe. Here’s what a typical engagement looks like:

Phase 1: Discovery & Assessment (2-4 weeks)

Before writing a single line of configuration, we need to understand what you have:

• Inventory all MIM Management Agents, synchronization rules, and connected systems
• Map business processes that depend on identity provisioning and governance
• Document custom workflows, extensions, and integrations
• Assess data quality in your identity store — this is often where surprises live
• Identify what’s actually used vs. what’s legacy configuration that nobody remembers building

The output is a Migration Blueprint — a document your team and management can use to understand scope, timeline, risk, and resource requirements.

Phase 2: Parallel Implementation (2-6 months)

We build the midPoint environment while MIM continues to operate:

• Stand up midPoint in your target environment (on-prem, cloud, or IAM Factory)
• Configure connectors for each target system currently served by MIM
• Implement role model, policies, and workflows — often improving on MIM’s original design
• Connect midPoint to your identity sources (HR, AD, etc.) in read-only mode first
• Run reconciliation to verify data consistency between MIM and midPoint

This is where AI-assisted delivery makes a significant difference. Using AI coding tools throughout our implementation process, connector development that historically required three weeks of scoping, development, and testing now follows a different model: AI-assisted prototype in day one, engineer review and refinement in day two, client UAT in week one. Across our recent engagements, tasks that took a week now take a fraction of that time.

Phase 3: Cutover & Decommission (2-4 weeks)

Once midPoint is validated against your production data:

• Switch identity sources from MIM to midPoint (phased, by target system)
• Decommission MIM Management Agents one by one
• Verify each cutover with automated reconciliation
• Complete documentation and knowledge transfer

Phase 4: Post-Migration Optimization

Migration isn’t the finish line — it’s the starting point for modern IGA:

• Implement access certification campaigns (likely new if you were on MIM)
• Configure segregation of duties policies
• Enable self-service access requests
• Tune reporting and dashboards for compliance evidence
• Train your team on midPoint administration

Timeline Reality Check

Every migration is different, but here’s a realistic framework based on our experience:

• Mid-market (1,000-5,000 users) — Simple (AD + 3-5 target systems): 3-4 months
• Enterprise (5,000-20,000 users) — Moderate (AD + 10-15 systems + custom workflows): 5-8 months
• Large enterprise (20,000+ users) — Complex (multiple AD forests, 20+ systems, extensive customization): 8-14 months

These timelines assume adequate resource allocation and reasonable client-side availability. The single biggest variable isn’t technical complexity — it’s organizational readiness and stakeholder alignment.

Why Starting Now Matters

The Evolveum partner ecosystem — including Ventum, ACEN, IT Concepts, DAASI International, and Inalogy — is seeing accelerating demand for MIM migration engagements. The partners with experienced midPoint consultants are booking up for 2026 and 2027.

This is the same pattern we saw with SAP IDM migrations (SAP IDM mainstream maintenance ends December 31, 2027). Organizations that started planning 18-24 months ahead got their pick of partners and had time for proper discovery. Organizations that waited are now competing for scarce resources on compressed timelines.

MIM’s January 2029 deadline feels comfortable today. It won’t feel comfortable in January 2028 when you’re trying to find an implementation partner, align stakeholders, and execute a migration in 12 months.

The Bottom Line

Microsoft Identity Manager served its purpose. It brought identity management to enterprises that needed it, connected systems that needed connecting, and automated processes that needed automating. But its time has passed.

The question isn’t whether to migrate — it’s what to migrate to. For European enterprises that need sovereignty, flexibility, full IGA capabilities, and cost predictability, midPoint is the strongest alternative on the market. It’s recognized by Gartner, backed by a growing partner ecosystem, and deployed in production across regulated industries.

And with AI-assisted delivery, the migration is faster and more predictable than it’s ever been.

If you’re running MIM and haven’t started scoping your replacement, let’s talk. Inalogy offers a no-obligation Migration Readiness Assessment — a focused engagement where we review your current MIM landscape and deliver a realistic migration roadmap.

Inalogy is a European IAM specialist and Evolveum Silver Partner. We deliver midPoint and Keycloak implementations across financial services, telecom, higher education, and public sector, with offices in Bratislava. We’re pioneering AI-assisted IAM delivery — compressing implementation timelines without compromising quality.

Sources: Microsoft MIM 2016 docs (EOL Jan 9, 2029) · Evolveum Migration Guide · Evolveum Partner Roundtable · On-Prem vs Cloud IGA · midPilot AI-Powered IGA