Blog post

BHOLD wins the Microsoft IAG lottery

By Ian Glazer | September 23, 2011 | 3 Comments

Microsoft announced that it has acquired “certain assets of BHOLD.” Without having received more details from the team at Microsoft, my interpretation is that they acquired the core of BHOLD’s product set – because they are claiming the acquisition will add “in-depth role management, separation of duties, access certification, and authorization management.”

This is a sensible deal for Microsoft. Forefront Identity Manager lacks IAG capabilities and an acquisition strategy makes perfect sense. (Interesting to note that of the big brand vendors, IBM will be the only one to grow-their-own and not acquire someone.) It will be interesting to see if Microsoft folds the BHOLD IAG capabilities directly in to FIM or keeps them aside as a separate product. Given Microsoft’s track record, if they decide to roll BHOLD’s IAG capabilities into a future release of FIM, customers should not expect such a release until 2013.

Let’s return to the quote from Microsoft’s web site again… “in-depth role management, separation of duties, access certification, and authorization management.” Catch that last bit? Authorization management. BHOLD had some interesting ways of behaving like a PDP for SharePoint. In some regard, BHOLD was the first vendor to unify IAG and EAM functionality. It will be very interesting to see those if those authorization capabilities end up being used as a module of or bridge to ADFS v2. Time will tell…

So what’s the lottery aspect of this post? Consider that there were at least four IAG vendors who specifically built their solutions on top of ILM/FIM: Omada, Voelker, and BHOLD. The lottery works like this. If you get acquired by Microsoft (or Quest), you win! If you don’t get acquired, you lose and the risk to your market increases. Voelker was acquired by Quest. BHOLD is now Microsoft. This leaves Omada standing alone. If I were an Omada customer, I’d sit tight watch whether Microsoft rolls the BHOLD capabilities in the core of FIM. If Microsoft does offer BHOLD capabilities within FIM, then vendors like Omada will be at risk. If Microsoft offers BHOLD capabilities as a separate product, then there is less risk to Omada and its customers. Needless to say,  the market around Microsoft’s identity offerings is just getting interesting.

UPDATE Sept 23 to remove inaccurate reference to DotNetFactory as a FIM-based product.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Ian,

    I just wanted to make a correction to your statement. The Dot Net Factory isn’t in any way built on Microsoft FIM. We explored that avenue back in 2008 but decided that it did not offer a base platform with which we could compete in IDM opportunities against Oracle, Novell and IBM. We built our own workflow, metadirectory, RBAC model, and sync engine to overcome what we saw as concrete limitations of the MIIS engine. Looking back this was definitely a major turning point for us and has allowed us to compete and win against the majors in our space.


  • Hi Ian,

    Just to clarify, Voelcker ActiveEntry (now Quest One Identity Manager) is not, and has never been, built on FIM. Q1IM has it’s own provisioning and sync capabilites, with a full set of connectors for major identity stores and databases, including AD, SAP, Notes, LDAP, SPML, etc. We do provide a full-featured connector to FIM, and some of our customers use Q1IM as their governance and IdM solution while letting FIM handle the provisioning/metadirectory functions, but Q1IM doesn’t rely on or require FIM (or MIIS/ILM) to provide any functionality.

    Thanks for making the correction,


    Gil Kirkpatrick
    Chief Architect, Quest Software

  • Vendor inaccuracies aside, this is a great acquisition.
    I agree, Ian, it will seriously marginalize the players who didn’t get closer to the vortex, but they have been heading down that route for some time anyway.
    Despite this product rollup, reporting is missing. Compliance reporting with immediate time to value, zero upfront cost, same day ‘connect and view’, 30 day free trial and subscription based access, is still the most compelling value add offering for FIM2010.
    Microsoft is the last of the big IAM/IDA vendors to build their suite. Since Zoomit was acquired by Microsoft in 1999, IBM has acquired Access 360 and Metamege to create the Tivoli suite, Oracle has acquired Thor and others to create Oracle OIM, Omada has OEM’d my own product FastPass, to complete Omada Identity Manager, and many others have come to take a slice of the pie…all with a view to being listed in the Gartner Provisioning MQ. All have missed the point and all have missed the opportunity that stared them in the face.

    None of these offerings address the business need. None of these offerings speak to the business. None of these offerings present a consolidated view to the customer of his environment to protect him for financial or IP loss. Microsoft is beginning ti ‘get it’. Finally they are understanding that this world of IDM is more than serving the need of the IT Pro. Great work.