Introduction
The Microsoft Identity Manager Synchronisation Engine has been around for close to 20 years and is highly functional and very reliable.
The Achilles heal though for any IDAM Sync Engine will always be an authoritative source and the information it provides to the Sync Engine.
I’m seeing more and more SaaS services being used as the Authoritative Source for identity management systems. Think Success Factors and Workday. Connecting across the internet to these and the rate of change within organisations means the amount of change data I’m seeing as well as the common human factor of changes en-mass means it is even more important to validate your import feeds before processing through your Sync Engines business logic.
Overview
This post details the foundation of a little logic that will call an Import from the Authoritative Source and analyse what is returned, evaluate it against the previous Import to understand the number of objects expected and determine if it is within an acceptable tolerance (I’m using 1% changes of total managed objects). If it doesn’t checkout, don’t run a Sync and send an email to someone to check it out and make a rational human decision (and maybe a manual sync). If the Import is valid then run the Sync.
Simply put;
- Query the Authoritative Management Agent and get the last Import Run
- set variables for the total number of objects processed; Adds, Renames, Updates and Deletes (and Total)
- Run an Import cycle only
- set variables for the total number of objects processed; Adds, Renames, Updates and Deletes (and Total)
- Evaluate each of the Staging Adds, Renames, Updates and Deletes and see if the number of changes is less that the tolerance (1%)
- if yes proceed with a Sync Run
- if no send a notification and don’t run the Sync
Enhancements
This will need to be tailored for each environment. What is normal for the number of changes expected in your environment? You may see a lot of Updates and the global 1% tolerance I have here doesn’t work for that. So you may want a tolerance per Adds, Renames, Updates and Deletes.
Implementation
Where I’ve used this, I’ve saved the PowerShell script below into the same directory as the other scripts that automate the MIM Sync Run Sequence. I’ve updated the previous automation script and removed the Authoritative Delta Import / Delta Sync, Full Import / Delta Sync etc and called this Auth Fuse Script instead.
The Script
As always this uses the awesome LithnetMIISAutomation PowerShell Module from Ryan. Update;
- lines 5-11 for your Auth Source.
- lines 20-24 for SMTP Server and Notification settings
- $smtpBody lines for what you want the notification emails to say
Summary
A simple piece of logic to check and validate your imports can save hours/days of work.
If your Auth Source doesn’t provide a full dataset and you haven’t checked your import before processing you could be deleting a LOT of accounts.
If HR changed the Org Structure and didn’t inform you or take into account IDAM Business Logic you could be about to process a lot of AD Account Moves. If it involved redundancies and they haven’t informed anyone yet, you could be exposing that information to an entire organisation. CHECK AND VALIDATE YOUR AUTHORITATIVE SOURCE IMPORTS !!