Back in March, my colleague Darren Robinson published this post which nicely explains how to use Søren Granfeldt’s FIM/MIM PowerShell MA to manage SharePoint Online profiles. While Darren’s post covers everything you need to connect to SPO and manage user profiles via FIM/MIM, some of your clients may prefer to use the Microsoft equivalent for reasons of perceived support and product quality. This post will cover off what is required to get the Connector up and running.

Prerequisites

To get this show on the road, you’re going to need the following

Setting up the Connector

First up, if you’re here because you just need to get an SPO connector up and going and get some attributes flowing, I’m going to make your life real easy: here is a full export of a working MA with a bunch of attributes configured in the scripts and ready to go. Just add your own credentials, tenant SPO admin URL, join rules and attribute flows and you’re done. You’re welcome. If you do however have some time to fill in your day, feel free to follow along.

Create a new Connector in the Sync Engine. Provided you have correctly installed the PowerShell connector linked in the prerequisites, you will see “PowerShell (Microsoft)” as an available Connector type. Give your Connector a name and click next, where you will see the connectivity tab appear.

Connectivity Tab Settings

Plug in the following configuration items:

Server: https://yourtenant-admin.sharepoint.com/
User: yourSPOserviceaccount@yourtenant.onmicrosoft.com
Password: yourSPOserviceaccountpassword
Common Module Script Name: FIMPowerShellConnectorModule.psm1

You will see now where you can start to paste some scripts. On this tab, we will provide two scripts – the common module script which was written by Microsoft and contains functions used in our import and export scripts, and a schema script. The schema script contains attributes I was interested in for now, which you can add to using the same formatting. My scripts are as follows:

Common Module Script

Schema Script

Capabilities Tab Settings

On the capabilities tab after much trial and error, I settled on the configuration as per the screenshots below

PSMASS3

Global Parameters Tab Settings

Import Script

Export Script

Join Rules and Attribute Flows

I am not going to go into Join Rules or Attribute Flows in any detail here, as those things are specific to your organisation and it’s requirements. The process for creating Join Rules and Attribute Flows is exactly the same for every other FIM MA you’ve ever worked with.

Troubleshooting

As with any PowerShell scripting or FIM work, it’s not just going to work first time as expected when you hit the go button. Particularly with this Connector, the default level of logging will just tell you something didn’t work, and offer you no real detail as to why. For this reason, during development you’ll want to crank up the logging. The following steps on enabling logging are shameless plagiarised from Technet.

Open the %ProgramFiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\bin\miiserver.exe.config file using a text editor and paste the following XML in to the file on the line immediately following the <sources> tag

Create the directory c:\logs, grant the service account for the synchronization service Modify permissions to the c:\logs directory, then restart the synchronization service. By default, PowerShell errors and some other data from the MA will be logged here, but you can be as verbose as you like in your script by including cmdlets like Write-Debug.

Conclusion

Following the steps above, it should be relatively straight forward to spin up an SPO Connector and get some attributes flowing. Hopefully this post has saved you a bit of time and effort!

 

 

Category:
FIM, Identity and Access Management, PowerShell, SharePoint

Join the conversation! 5 Comments

  1. Hi!

    Thank you, very usefull job 🙂
    I wonder something, SPO side, I know that we have to use tenant-admin.sharepoint.com URL to modify data. My problem is when I import data from this URL I find only admin users, I can only find other users when I request admin.sharepoint.com URL (I used to have the same issue with a PS script, I was able to do the job with importing on admin.sharepoint.com and writing on tenant-admin.sharepoint, annoying…).
    Do you know how I could find all users in tenant-admin ? A parameter or user right ?
    My admin account has Follow People and Edit Profile permissions.

    Regards,
    Pwnnny

  2. Hi !

    Just an update, it works like a charm in the PowerShell connector if we use tenant.sharepoint.com in the Import Script and the variable tenant-admin.sharepoint.com ofr the Export.
    Thank you again for this. 🙂

    Regards,
    Pwnnny

  3. Hi! Thanks so much for your article and your explanation on the Powers hell MA. Your thorough explanation was very valuable to me to give me a boost with my first PowerShell MA. I have customized your script only to succesfully connect to Exchange powershell and get the desired attributes. Now I want to be able to do also delta imports since I want to get the TotalItemSize of users lets say every 24h (so the whole point of my MA is to track the change in this attribute and the sync service will have a time scheduler for delta imports).
    However, I am not sure how to proceed with the delta import. You mention that we should choose “Enable Delta Import”. Although I read that in order to do that we should have the attributes $OperationType and RunStepCustomData populated. If I understood correctly the $OperationType should take the value “delta” when a delta import is performed and the “RunStepCustomData” should store a delta watermark attribute which will be used for the next delta import. I am not sure how to configure these attributes in the current Import script you wrote because I am afraid that would make the script unusable.

    Any help will be amazing! I am junior with MIM and with powershell and there is much I have to learn still to figure this out! But I believe with a small customization in your import script I could achieve also a delta import.

    What are your thoughts?

    Thanks in advance

  4. Good day and happy new year!

    Great article of yours! It helped me a lot to start configuring my own PSMA 🙂

    I have a question. Could I create a global parameter named for example URI in “Additional Config Parameter Names” and then add the link “http://exchange.customer.com.au/powershell” as an input of the parameter in the next page, “Global Parameters”. If yes, how could we call this parameter inside our script? I’ve tried couple of things suggested i n the “Additional Parameters” paragraph of Microsoft Technical Reference (https://docs.microsoft.com/sv-se/azure/active-directory/active-directory-aadconnectsync-connector-powershell) but so far nothing worked.

    I was asked to test whether the import script can be flexibly adapted for any exchange uri, without having to search every time the connectionuri inside the code in case one desires to change it.

    Thank you.

    Kind regards,
    Stefania

    • I have found out that I wasn’t using the right quotes in the client’s development environment in calling the $ConfigParameters[“URI_Global”].Value. I am totally not an Azerty Person 😀

Comments are closed.