Consuming CSV files from an Exchange Mailbox via Exchange Web Services and FIM/MIM 2016 using the Granfeldt PowerShell MA

30th of March, 2016 / Darren Robinson / No Comments

This solution on first look is quite random. A management agent that consumes a flat file (comma separated file) isn’t ground breaking, but when the twist is that the CSV file is in an email in an Exchange Inbox, it’s quite a different scenario.

Background

My customer uses a Cloud Service for their recruitment processes. The cloud service does have a SOAP API that I could potentially develop a FIM/MIM solution for using the Microsoft Web Services Management Agent, however my customer does not have API access to their tenant, the vendor isn’t overly responsive and I need a solution in days not weeks.… [Keep reading] “Consuming CSV files from an Exchange Mailbox via Exchange Web Services and FIM/MIM 2016 using the Granfeldt PowerShell MA”

Managing SharePoint Online (SPO) User Profiles with FIM/MIM 2016 and the Granfeldt PowerShell MA

22nd of March, 2016 / Darren Robinson / 5 Comments

Forefront / Microsoft Identity Manager does not come with an out-of-the-box management agent for managing SharePoint Online.

Whilst the DirSync/AADConnect solution will allow you to synchronise attributes from your On Premise Active Directory to AzureAD, SharePoint only leverages a handful of them. It then has its own set of attributes that it leverages. Many are similarly named to the standard Azure AD attributes but with the SPS- prefix.

For example, here is a list of SPO attributes and a couple of references to associated Azure AD attributes;

UserProfile_GUID
SID
SPS-PhoneticFirstName
SPS-PhoneticLastName
SPS-PhoneticDisplayName
SPS-JobTitle
SPS-Department
AboutMe
PersonalSpace
PictureURL
UserName
QuickLinks
WebSite
PublicSiteRedirect
SPS-Dotted-line
SPS-Peers
SPS-Responsibility
SPS-SipAddress
SPS-MySiteUpgrade
SPS-ProxyAddresses
SPS-HireDate
SPS-DisplayOrder
SPS-ClaimID
SPS-ClaimProviderID
SPS-ClaimProviderType
SPS-SavedAccountName
SPS-SavedSID
SPS-ResourceSID
SPS-ResourceAccountName
SPS-ObjectExists
SPS-MasterAccountName
SPS-PersonalSiteCapabilities
SPS-UserPrincipalName
SPS-O15FirstRunExperience
SPS-PersonalSiteInstantiationState
SPS-PersonalSiteFirstCreationTime
SPS-PersonalSiteLastCreationTime
SPS-PersonalSiteNumberOfRetries
SPS-PersonalSiteFirstCreationError
SPS-DistinguishedName
SPS-SourceObjectDN
SPS-FeedIdentifier
SPS-Location
Certifications
SPS-Skills
SPS-PastProjects
SPS-School
SPS-Birthday
SPS-Interests
SPS-StatusNotes
SPS-HashTags
SPS-PictureTimestamp
SPS-PicturePlaceholderState
SPS-PrivacyPeople
SPS-PrivacyActivity
SPS-PictureExchangeSyncState
SPS-TimeZone
SPS-EmailOptin
OfficeGraphEnabled
SPS-UserType
SPS-HideFromAddressLists
SPS-RecipientTypeDetails
DelveFlags
msOnline-ObjectId
SPS-PointPublishingUrl
SPS-TenantInstanceId

My customer has AADConnect in place that is synchronising their On Premise AD to Office 365.… [Keep reading] “Managing SharePoint Online (SPO) User Profiles with FIM/MIM 2016 and the Granfeldt PowerShell MA”

HRESULT: 0x8023063D when attempting to run multiple Sync Run Profiles in MIM/FIM after applying rollup build 4.3.2124.0

15th of March, 2016 / Darren Robinson / 6 Comments

A new hotfix rollup was released on the 11^th of March Microsoft Identity Manager contains a number of fixes and some new functionality.

It appears that it also contains a new bug. Information about this came to my attention from Ryan Newington

The bug kicks in if you’re trying to run sync sequences on multiple MA’s simultaneously. It throws the error; “Unable to run the management agent.” Exception from HRESULT: 0x8023063D

The screenshot below shows the error when attempting to run a Full Synchronization on an MA when another MA is already running a Full Synchronization.… [Keep reading] “HRESULT: 0x8023063D when attempting to run multiple Sync Run Profiles in MIM/FIM after applying rollup build 4.3.2124.0”

Creating Microsoft Identity Manger (MIM) Run Profiles using PowerShell (post MIM rollup build 4.3.2124.0)

15th of March, 2016 / Darren Robinson / 2 Comments

A new hotfix rollup was released on the 11^th of March for Microsoft Identity Manager that contains a number of fixes and some new functionality.

One new feature according to the release notes is a new cmdlet Add-MIISADMARunProfileStep

This cmdlet allows the creation of MIM Synchronisation Management Agent Run Profiles using PowerShell.

From the MS Documentation

Add-MIISADMARunProfileStep -MAName ‘AD_MA’ -Partition ‘DC=CONTOSO,DC=COM’ -StepType ‘FI’ -ProfileName ‘ADMA_FULLIMPORT’

Possible values of the StepType parameter (short form or long one can be used):
“FI”, “FULL IMPORT”
“FS”, “FULL SYNCHRONIZATION”
“FIFS”, “FULL IMPORT AND FULL SYNCHRONIZATION”
“FIDS”, “FULL IMPORT AND DELTA SYNCHRONIZATION”
“DI”, “DELTA IMPORT”
“DS”, “DELTA SYNCHRONIZATION”
“DIDS”, “DELTA IMPORT AND DELTA SYNCHRONIZATION”
“EXP”,”EXPORT”

The neat feature of this cmdlet is that it will create the Run Profile if it doesn’t exist.… [Keep reading] “Creating Microsoft Identity Manger (MIM) Run Profiles using PowerShell (post MIM rollup build 4.3.2124.0)”

Dynamic Active Directory User Provisioning placement (OU) using the Granfeldt Powershell Management Agent

3rd of February, 2016 / Darren Robinson / No Comments

When using Forefront / Microsoft Identity Manager for provisioning users into Active Directory, determining which organisational unit (OU) to place the user in varies from customer to customer. Some AD OU structures are flat, others hierarchical based on business, departmental, functional role or geography. Basically every implementation I’ve done has been different.

That said the most recent implementation I’ve done is for an organisation that is growing and as such the existing structure is in flux and based on differing logic depending on who you talk to.… [Keep reading] “Dynamic Active Directory User Provisioning placement (OU) using the Granfeldt Powershell Management Agent”

Managing AD Terminal Services Configuration with FIM / MIM using the Granfeldt PowerShell Management Agent

2nd of February, 2016 / Darren Robinson / No Comments

Forefront / Microsoft Identity Manager contains numerous Management Agents (MA’s) out of the box. However an MA for managing AD Terminal Services user configuration isn’t one of them. And at first pass you’d think you could just manipulate a few attributes in AD on an AD MA like you do for home directories (aside from creating the file and permissions on the filesystem) and you’d be done. Don’t worry, I made that wrong assumption too.

Overview

In this blog post I’ll document how you can enable Active Directory users with the necessary attributes and file system elements utilising Søren Granfeldt’s extremely versatile PowerShell Management Agent.… [Keep reading] “Managing AD Terminal Services Configuration with FIM / MIM using the Granfeldt PowerShell Management Agent”

Provisioning Home Directories for Active Directory Users with FIM / MIM using the Granfeldt PowerShell Management Agent

29th of January, 2016 / Darren Robinson / 1 Comment

Forefront / Microsoft Identity Manager contains numerous Management Agents (MA’s) out of the box. However an MA for creating user home directories and setting the associated permissions isn’t one of them.

Over the years I’ve accomplished home directory provisioning and permissioning in Active Directory / Windows File Services and Novell eDirectory / Novell File Services using methods that aren’t strictly best practice / supported (e.g. calling native libraries from within a Management Agent Extension to create/manage/delete etc).… [Keep reading] “Provisioning Home Directories for Active Directory Users with FIM / MIM using the Granfeldt PowerShell Management Agent”

Provisioning Users for Lync / Skype for Business with FIM / MIM using the Granfeldt PowerShell Management Agent

28th of January, 2016 / Darren Robinson / No Comments

Forefront / Microsoft Identity Manager contains numerous Management Agents (MA’s) out of the box. However, a MA for Lync / Skype for Business isn’t one of them.

Over the years I’ve accomplished lifecycle management for users in Lync via FIM using methods that aren’t strictly best practice / supported (e.g. calling PowerShell from within a Management Agent Extension to enable/disable/manage policies). Whilst this functionally works the ability for end customers to maintain the implementation for changes is limited.… [Keep reading] “Provisioning Users for Lync / Skype for Business with FIM / MIM using the Granfeldt PowerShell Management Agent”

Provision Users for Exchange with FIM/MIM 2016 using the Granfeldt PowerShell MA, avoiding the AD MA (no-start-ma) error

27th of January, 2016 / Darren Robinson / 6 Comments

Forefront / Microsoft Identity Manager provides Exchange Mailbox provisioning out of the box on the Active Directory Management Agent. I’ve used it in many many implementations over the years. However, in my first MIM 2016 implementation in late 2015 I ran into issues with something I’d done successfully many times before.

I was getting “no-start-ma” on the AD MA on export to AD. The point at which the MA sets up its connection to the Exchange environment.… [Keep reading] “Provision Users for Exchange with FIM/MIM 2016 using the Granfeldt PowerShell MA, avoiding the AD MA (no-start-ma) error”

MIM and Privileged Access Management

26th of November, 2014 / Mark Southwell / 2 Comments

Recently Microsoft released Microsoft Identity Manager 2015 (MIM) Customer Technology Preview (CTP). Those expecting a major revision of the FIM product should brace themselves for disappointment. The MIM CTP is more like a service release of FIM. MIM CTP V4.3.1484.0 maintains the existing architecture of the FIM Portal (still integrated with SharePoint), FIM Service, and the FIM Synchronisation Service. Also maintained are the separate FIM Service and FIM Sync databases. Installation of the CTP is almost identical to FIM 2010 R2 SP1, including the same woes with SharePoint 2013 configuration.… [Keep reading] “MIM and Privileged Access Management”