PowerShell RACF z/OS PowerShell MIM MA
A RACF Management Agent for Microsoft Identity Manager ? Isn’t there one in the box? No. Host Integration Management Agents were deprecated when Microsoft released Forefront Identity Manager as the successor to Identity Lifecycle Manager (ILM). I understand it was partly due to lack of demand for the integration, and the reliance on Host Integration Server (HIS) along with the move in operating system support 32-bit (in ILM) to 64-bit (in FIM). With ILM integration with Host Systems via HIS you were required to map out the key sequences anyway.
But it’s 2019 and ILM was released in 2007 and FIM in 2010. Why are you posting about a RACF Management Agent? A rudimentary use case would be;
I’m not going to promote this integration as gold-standard or even best practice. With the preface above and the title even stating “rudimentary” here is a solution that also fits the title of my blog site “Bespoke Identity and Access Management Solutions“.
Disclaimers now aside, my Rudimentary Microsoft Identity Manager Management Agent for RACF;
If you haven’t used the Granfeldt PowerShell Management Agent before then start here. This post will only detail the Schema and Import Scripts to get you visibility of users in RACF and allow a Join to a Metaverse Hologram. The process to do that can be expanded on if you wanted to implement exports to RACF (e.g. for Account Disablement, Account Creation or Deletion) or Password Sync.
The schema script below sets up an Object Class for the MA named racfUser with a single attribute named racfID which is the UserID from RACF. You can rename it if required.
The Import Script below uses the x3270 Client as detailed in this post and PowerShell to orchestrate it. It issues the SEARCH CLASS (USER) command to list all accounts, then parse the x3270 Tracefile to extract them. This is a rudimentary method (that works) but you may want to run a job on the RACF Host and then transfer a file out also using the x3270 HTTPD method and process it that way. Up to you.
The script functionality provides Paged Imports. That needs to be enabled on the PowerShell Management Agent. The script then uses the Run Profile Page Size to process the users through the MA. Username and Password for the account used to connect to RACF are passed from the PowerShell MA configuration. Only Full Sync is supported, no Delta Sync’s here.
If you made it this far, oh dear. But hopefully it has given you hope of an approach that can be used to get a rudimentary level of integration of RACF with Microsoft Identity Manager quickly. And good luck.
Today, I’m super excited to finally announce the Beta release of EntraPulse Lite – a…
I'm excited to share some significant authentication enhancements I've contributed to the Lokka MCP Server…
Last month I had the pleasure of speaking at the Sydney event for Global Azure.…
Model Context Protocol (MCP) is a powerful framework that extends AI clients like Claude and…
I've just completed participating in the Azure AI Developer Hackathon that was looking to provide…
Updated: July 2025 v1.0.2 Fixes issue setting D365SalesGlobals enabling session management for D365 Sales API…
This website uses cookies.