This post feels a lot like I got in a time machine and went back in time. Historically I’ve designed, built and deployed a lot of custom Forefront / Microsoft Identity Manager Management Agents. A lot of them using the Granfeldt PowerShell Management Agent thanks to is flexibility and usability. Over the last few years Microsoft have been enhancing the Entra ID Provisioning Service for Application and HR provisioning capabilities. Specifically, the addition of the Microsoft Entra ECMA Connector Host which allows for specific connectors from a Microsoft Identity Manager Synchronization Service (MIM Sync) installation to be integrated with the Entra ID Provisioning Service. The diagram below shows an example of the integration components.

Microsoft outline the key intent as being able to take a custom connector using the ECMA2 framework from a FIM/MIM environment and integrate it with Entra ID Provisioning. This allows you to maintain the investment in your custom connector for your line of business on-premises applications. The Microsoft documentation is a good start but is very generic. What if you wanted to repurpose (or even create a new) connector integrated with Entra ID On-Premises application provisioning using the Granfeldt PowerShell Management Agent? This post will show you how.
Installation Overview
There are a number of steps involved. The high-level process is:
- Create Entra ECMA Application Registration
- Install the ECMA Provisioning Agent
- Configure the ECMA Provisioning Agent with a Granfeldt PowerShell (ECMA2) Management Agent
- Configure Entra ECMA Application Provisioning
Technical Skills required
To be successful doing this style of integration you will need to:
- be experienced with Microsoft FIM/MIM
- previously used and built management agents with the Granfeldt PSMA
- have used and understand the Entra ID Provisioning Service
- know how you will implement your requirements to connect your application using the Entra ID Provisioning Service and Expression Builder as on the Entra ID side you won’t have the ability to create a Provisioning Extension or Deprovisioning Extension. You will need to do it with Source Object Scopes and Attribute Mappings.
Connector Host Prerequisites
If you are deploying the connector host into a managed environment, you should well and truly meet the minimum requirements. Resurrecting my Microsoft Identity Manager lab I’ve had for 10 years meant I didn’t. The host that will run the ECMA2 provisioning connector agent must:
- be running Windows Server 2016 or later
- .NET 4.7.1 or higher
- connectivity to Entra ID. Network requires are detailed here
- connectivity to your on-premises application
- enough resources (processor, memory, network etc) for the number of objects your PSMA will managing
Create an Entra ECMA Application Registration
In the Azure Portal under Entra ID and Enterprise Applications add a new application. Search for the On-premises ECMA application, give it a name and select create.
Once created select Automatic as the Provisioning Mode and then download the ECMA2 Provisioning Agent.
Install the ECMA Provisioning Agent
On the host on-premises that will host your custom connector and connect to Entra ID copy the agent you downloaded above and start the installation of it.
Provide an account that is Global Admin or Hybrid Application Administrator to link your connector host agent to your Entra ID Tenant
Confirm the installation
Complete the installation.
Install the Granfeldt PSMA on the Connector Host
Get the latest version of the Granfeldt PowerShell Management Agent downloaded as a zip file onto the Connector Host.
Uncompress the zip file and copy the Granfeldt.PowerShell.ManagementAgent.dll and Granfeldt.PowerShell.ManagementAgent.xml to the C:\Program Files\Microsoft ECMA2Host\Service\ECMA directory.
Next ensure you select (individually) both files => properties => Unblock
If you don’t do this, you will likely get the following ERROR:
An attempt was made to load an assembly from a network location which would have caused the assembly to be sandboxed in previous versions of the .NET Framework. This release of the .NET Framework does not enable CAS policy by default, so this load may be dangerous. If this load is not intended to sandbox the assembly, please enable the loadFromRemoteSources switch. See http://go.microsoft.com/fwlink/?LinkId=155569 for more information
Configure the ECMA2 Connector Agent
Run the Microsoft ECMA2Host Config Wizard.
Select Generate certificate
You can look at the details of the self-signed certificate generated and save it.
Select Yes to restart the service for the changes to take effect.
Create a Granfeldt PSMA on the Connector Host
At this point if you have an export of a Granfeldt PSMA from a FIM/MIM installation you could import that and step through the configuration of it similar to what you would do importing an exported management agent using the MIM Sync Service Manager.
In the example below I’m going to create a new Granfeldt PSMA.
Select New Connector
Provide the properties for your Management Agent. A nice way to generate the Secret Token is to use PowerShell and the New-GUID cmdlet to generate a GUID. The Secret token will be used to configure the Entra ID ECMA2 On-Premises Application Registration created earlier to allow the two components to authenticate.
Choose the Granfeldt.PowerShell.ManagementAgent.dll for the Extension DLL. This is picking it up from the folder you put it in earlier. The C:\Program Files\Microsoft ECMA2Host\Service\ECMA directory.
Drop your schema.ps1, import.ps1, export.ps1 and password.ps1 files into the directory that will have been created under C:\Program Files\Microsoft ECMA2Host\Service\ECMA\MAData\YourMA based on the name you gave it in the previous configuration screen.
Now it is simply a case of providing the configuration details for your PSMA. Use the full path for your PSMA scripts. And the account details for what will be passed to your Import.ps1 and Export.ps1 scripts.
Object Types is based off your schema.ps1 configuration file.
Here is an example of mine for this demo that allows me to use objectGuid as the Anchor and distinguishedName as my DN value.
$obj = New-Object -Type PSCustomObject
$obj | Add-Member -Type NoteProperty -Name "Anchor-objectGuid|String" -Value "00000000-0000-0000-0000-000000000001"
$obj | Add-Member -Type NoteProperty -Name "objectClass|String" -Value "user"
$obj | Add-Member -Type NoteProperty -Name "distinguishedName|string" -Value "cn=first last,OU=employees,DC=customer,DC=com,DC=au"
$obj | Add-Member -Type NoteProperty -Name "userPrincipalName|String" -Value "user@customer.com"
$obj
Attributes will also be from your configuration in your schema.ps1 and then finally your deprovisioning options.
You now have your Grandfeldt PowerShell Management Agent created on the Connector Agent Host.
Similar to the Microsoft Identity Manager Synchronisation Service you can go back and edit the Management Agent configuration.
Complete the configuration of the Entra ID Application Registration
Back in the Entra ID Enterprise Application registration for the On-Premises ECMA2 Application you can complete the configuration.
Under the Admin Credentials enter the following:
- Tenant URL is relative to the ECMA Provisioning Agent that you have configured. The default port is 8585. In my example I created a MA on the ECMA Connector host named GranfeldtPSMA so use that verbatim in the URI as shown below. https://localhost:8585/ecma2host_<yourManagementAgentName>/scim
- For the Secret Token enter the secret you configured on the ECMA Agent Host when configuring it earlier. If you followed my guide that will be the GUID you generated. Test Connection to ensure you have everything configured correctly.
- Select Save.
ECMA2 Provisioning Settings
Under Mappings is where you configure what attributes and any attribute transformations to flow from Entra ID to your PSMA Management Agent. Obviously, this is completely dependent on what your application is and what it needs and how you have configured your associated Import and Export scripts.
And whether you are sending through Creates, Updates and or Delete events.
Matching precedence is your ordered join rules equivalent.
Event Logging
Logs for the ECMA2 Connector Host and the PSMA is on the connector host under Event Viewer = > Applications and Services Logs => ECMA2Host.
Summary
If you are an experienced FIM/MIM person and have been wondering how to integrate the Granfeldt PSAM with the ECMA2 Connector Host I hope this helps. There are other items I’m finding that I’m compiling for a potential future post. This was to get you started and up and running quickly.