I’ve been working on a project where I must have visibility of a large number of Azure AD Groups into Microsoft Identity Manager.

In order to make this efficient I need to use the Differential Query function of the AzureAD Graph API. I’ve detailed that before in this post How to create an AzureAD Microsoft Identity Manager Management Agent using the MS GraphAPI and Differential Queries. Due to the number of groups and the number of members in the Azure AD Groups I needed to implement Paged Imports on my favourite PowerShell Management Agent (Granfeldt PowerShell MA). I’ve previously detailed that before too here How to configure Paged Imports on the Granfeldt FIM/MIM PowerShell Management Agent.

This post details using these concepts together specifically for AzureAD Groups.


Read the two posts linked to above. They will detail Differential Queries and Paged Imports. My solution also utilises another of my favourite PowerShell Modules. The Lithnet MIIS Automation PowerShell Module. Download and install that on the MIM Sync Server where you be creating the MA.


Now that you’re up to speed, all you need to do is create your Granfeldt PowerShell Management Agent. That’s also covered in the post linked above  How to create an AzureAD Microsoft Identity Manager Management Agent using the MS GraphAPI and Differential Queries.

What you need is the Schema and Import PowerShell Scripts. Here they are.


Two object classes on the MA as we need to have users that are members of the groups on the same MA as membership is a reference attribute. When you bring through the Groups into the MetaVerse and assuming you have an Azure AD Users MA using the same anchor attribute then you’ll get the reference link for the members and their full object details.


Here is my PSMA Import.ps1 that performs what is described in the overview. Enumerate AzureAD for Groups, import the active ones along with group membership.


This is one solution for managing a large number of Azure AD Groups with large memberships via a PS MA with paged imports showing progress thanks to differential sync which then allows for subsequent quick delta-sync run profiles.

I’m sure this will help someone else. Enjoy.

Follow Darren on Twitter @darrenjrobinson

FIM, Identity and Access Management, PowerShell
, , , ,

Join the conversation! 3 Comments

  1. Dear Darren,
    I am really impressed with the things you are going in FIM/MIM using PowerShell!
    As the expert in this area, do you know if it is possible to provision O365 groups or DLs directly to Azure using custom FIM and the PowerShell MA? Something like this:
    1. Users and distribution groups flow from SQL Server to FIM 2010
    2. FIM 2010 provisiones users and dynamic groups to the on prem AD using AD MA
    3. AD Forest is synchronized to Azure AD using Azure AD Connect, there is also ADFS SSO
    4. Is it possible to add Microsoft powershell MA or Grandfelt powershell MA to the FIM 2010, to provision groups directly to Azure AD (groups only, users still provisioned to on prem AD)?
    Diagram reference:

    • Hi Svetlana. Absolutely. The EXO DL’s need to be provisioned against EXO using Remote PowerShell. This post details managing Mailboxes in a Hybrid environment, but a few changes for Groups/DL’s as the Object Class in the Schema and in the Export Script to create the DL using New-DistributionGroup , Add members with Add-DistributionGroupMember and remove with Remove-DistributionGroupMember and you’ll be on the right track.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: