This page summarizes the posts I’ve made relating to Microsoft / Forefront Identity Manager. Mostly posts associated with troubleshooting installation and configuration and bespoke management agents that I’ve developed using the Granfeldt PowerShell Management Agent.
NEW: ChatOps for Microsoft Identity Manager
This post details how to install, configure and use the Lithnet.PoshBot Plugins with Slack or Teams. Your Service Desk/Identity Operators can then query the MIM MetaVerse or MIM Service using the Lithnet IdentityBot from Teams and/or Slack.
ChatOps for Microsoft Identity Manager
Also see ChatOps for Azure Active Directory
Further below on this page you will find working bespoke management agent examples for;
Active Directory, Active Directory Photos, Azure Active Directory, Azure Active Directory Business to Business (B2B), Azure MFA, Exchange, Exchange Online, Dynamics 365 Finance & Operations, Have I Been Pwned, Home Directories, Lotus Notes, Office365, Oracle Internet Directory / LDAP Password Sync, RACF, Sailpoint IdentityNow, SharePoint Online, Skype for Business / Lync, Terminal Services, Twitter, Workday and xMatters.
As I post more I’ll try to keep this page updated. But you can also always use the categories, search and tags. Jump to the bottom of this page for links to posts associated with errors encountered during installation configuration.
Getting Started with the Granfeldt PowerShell Management Agent
First up, you can get it from GitHub here. Søren’s documentation is pretty good but does assume you have a working knowledge of FIM/MIM and posts on this blog post are no different. Configuration tasks like adding additional attributes the User Object Class in the MIM Portal, updating MPR’s, flow rules, Workflows, Sets etc are assumed knowledge and if not is easily Bing’able for you to work it out.
Three items I had to work out that I’ll save you the pain of are;
- You must have a Password.ps1 file. Even though we’re not doing password management on this MA, the PS MA configuration requires a file for this field. The .ps1 doesn’t need to have any logic/script inside it. It just needs to be present
- The credentials you give the MA to run the scripts as, needs to be in the format of just ‘accountname’ NOT ‘domain\accountname’. I’m using the service account that I’ve used for the Active Directory MA. The target system is the same directory service and the account has the permissions required (you’ll need to add the management agent account to the appropriate Exchange role group for user management)
- The path to the scripts in the PS MA Config must not contain spaces and be in old-skool 8.3 format. I’ve chosen to store my scripts in an appropriately named subdirectory under the MIM Extensions directory. Tip: from a command shell use dir /x to get the 8.3 directory format name. Mine looks like C:\PROGRA~1\MICROS~4\2010\SYNCHR~1\EXTENS~2\Exchange
If you receive HRESULT 0x80230729 creating a new FIM/MIM Management Agent checkout this post.
From version 5.6.3.2022 there are new configuration items for Auxiliary Username and Password and additional configuration options. For more details see the Using the new Granfeldt FIM/MIM PowerShell Management Features post.
For more advanced functions such as logging to the Windows Application Event Log, Differential Sync, Paged Imports and Password Sync see the following examples.
Sending PowerShell Management Agent Events to the Windows Application Event Log
Rather than output logging to a text file, send Informational, Warning and Error events to the Windows Application Event Log.
Sending Granfeldt PowerShell Management Agent Events to the Windows Application Event Log
Differential Sync and Paged Imports
See these two posts on how to configure the Granfeldt PowerShell Management Agent to page the import of data into Microsoft Identity Manager as well as configuring Delta Synchronization for Azure Active Directory.
How to configure Paged Imports on the Granfeldt FIM/MIM PowerShell Management Agent
Multi-Threading Imports
Multi-Threading Granfeldt PowerShell Management Agent Imports with Workday as an example.
Password Sync
See these two posts on how to configure the Granfeldt PowerShell Management Agent to synchronize passwords.
Synchronizing Passwords from Active Directory to the IBM/Lotus Domino Identity Vault using Microsoft Identity Manager – Part 3
Automating Configuration and Documentation Backups
Perform nightly backups of your MIM development environment including the MIM Sync Server, Management Agents, MIM Service, and Management Agents extensions. Nightly generation of the MIM Service and Sync Configuration and generation of a web page with the backups and configuration reports.
Automated Microsoft Identity Manager Configuration Backups & Documentation to Azure
Active Directory
FIM / MIM Synchronising between multiple Active Directory Forests separated by firewalls fails with the error Kerberos-no-logon-server on Active Directory Management Agent Export.
Diagnosing FIM/MIM ‘kerberos-no-logon-server’ error on an Active Directory Management Agent
Dynamic Active Directory User Organisational Unit (OU) placement
Azure Active Directory
See this post on how to configure the Granfeldt PowerShell Management Agent to connect to Azure Active Directory.
This post details building a Granfeldt PowerShell Management Agent to manage Azure AD Groups.
This post details a Granfeldt PowerShell Management Agent for Azure AD Users (partial attribute set) using MIM Paged Imports
How to configure Paged Imports on the Granfeldt FIM/MIM PowerShell Management Agent
Azure Active Directory B2B
See these posts on how to configure the Granfeldt PowerShell Management Agent to connect to Azure Active Directory for managing Azure AD B2B.
Automating Azure AD B2B Guest Invitations using Microsoft Identity Manager
How to use the FIM/MIM Azure Graph Management Agent for B2B Member/Guest Sync between Azure Tenants
Azure MFA
A management agent for Azure MFA to obtain user Azure MFA registration information for use with reporting on who’s registered for Azure MFA and with what methods.
An Azure MFA Management Agent for User MFA Reporting using Microsoft Identity Manager
Azure Active Directory Graph Connector
The Microsoft Azure AD Graph Connector integrates Azure AD with Microsoft Identity Manager. Not performing a sync for 30 days will result in stopped-extensible-extension-error .
Exchange
See these three posts on how to configure the Granfeldt PowerShell Management Agent to connect to Exchange Server.
Configuring Remote PowerShell to a Remote Active Directory Forest for FIM/MIM GalSync
Exchange Online / Office365
See this post on how to configure the Granfeldt PowerShell Management Agent to provision Exchange Online Mailboxes against On Premise Exchange Server.
Provisioning Hybrid Exchange/Exchange Online Mailboxes with Microsoft Identity Manager
Granfeldt PowerShell MA Schema Scripts
See this post on generating the Granfeldt PowerShell Management Agent Schema Definition File script.
Automate the Generation of a Granfeldt PowerShell Management Agent Schema Definition File
Recovering from Granfeldt PowerShell Management Agent Schema HRESULT: 0x80231343 Error
Granfeldt PowerShell Management Agent Schema HRESULT: 0x80231343 Error
Dynamics 365 Finance & Operations
This post shows building an HRM Management Agent for Dynamics 365 Finance & Operations using the Granfeldt PowerShell Management Agent and the Dynamics 365 FO Integrations PowerShell Module.
A Dynamics 365 Finance & Operations Management Agent for Microsoft Identity Manager
Have I been Pwned
See these three posts on how to configure the Granfeldt PowerShell Management Agent to connect to leveraged Have I Been Pwned Password Data.
Identifying Active Directory Users with Pwned Passwords using Microsoft/Forefront Identity Manager
Home Directory (Windows)
See this post on how to configure the Granfeldt PowerShell Management Agent to manage Windows Home Directories.
IBM / Lotus Notes / Domino
Three of these four posts detail how to configure the Granfeldt PowerShell Management Agent to synchronise passwords to IBM Domino/Notes Password Fault.
Getting the System.NotImplementedException: The method or operation is not implemented error when synchronising passwords to Lotus Notes? Checkout this post.
Office365 / Active Directory
See these two posts on how to configure the Granfeldt PowerShell Management Agent to connect to Azure Active Directory for managing Photos and Office365 Licenses.
Office365 Licensing Management Agent for Microsoft Identity Manager
Oracle Internet Directory / LDAP
An example Granfeldt PowerShell Management Agent to connect to Oracle Internet Directory using LDAP.
Microsoft Identity Manager PowerShell Management Agent for Oracle Internet Directory
RACF
A rudimentary RACF Management Agent using the Granfeldt PowerShell Management Agent.
A Rudimentary RACF Management Agent for Microsoft Identity Manager
SailPoint IdentityNow
A management agent for SailPoint IdentityNow Roles.
SailPoint IdentityNow Roles Management Agent for Microsoft Identity Manager
A management agent for Sailpoint IdentityNow Governance Groups.
SailPoint IdentityNow Governance Groups Management Agent for Microsoft Identity Manager
SharePoint Online
See this post on how to configure the Granfeldt PowerShell Management Agent to connect to SharePoint Online for managing SharePoint Online User Profiles.
Managing SharePoint Online (SPO) User Profiles with FIM/MIM 2016 and the Granfeldt PowerShell MA
Skype for Business / Lync
See this post on how to configure the Granfeldt PowerShell Management Agent to connect to provision users to Lync/Skype for Business.
Terminal Services
See this post on how to configure the Granfeldt PowerShell Management Agent to manage User Active Directory Terminal Services Profile configuration.
See this post on how to configure the Granfeldt PowerShell Management Agent to connect to Twitter.
A Twitter Management Agent for Microsoft Identity Manager
Workday
See these posts on how to configure the Granfeldt PowerShell Management Agent to connect to Workday HR.
Building a Microsoft Identity Manager PowerShell Management Agent for Workday HR
Multi-Threading Granfeldt PowerShell Management Agent Imports with Workday as an example
xMatters
See this post on how to configure the Granfeldt PowerShell Management Agent to connect to xMatters.
Building a FIM/MIM Management Agent for xMatters
Troubleshooting
This section contains a bunch of posts relating to errors installing and configuring Microsoft Identity Manager.
Microsoft Identity Manager Installation Errors
MIM Sync Server
Error 25009 HResult 0x80131700 when installing Microsoft Identity Manager
MIM Service/Portal
Microsoft Identity Manager Service and Portal Setup Wizard ended prematurely
MIM Sync Server Errors
Microsoft Identity Manager Graph Connector stopped-extensible-extension-error
Granfeldt PowerShell Management Agent Schema HRESULT: 0x80231343 Error
Microsoft Identity Manager “sync-rule-validation-parsing-error” error
Microsoft Identity Manager Sync Server HResult 0x80040E14 Error
Miscellaneous Errors
Cannot load Windows PowerShell snap-in MIIS.MA.Config on Microsoft Identity Manager 2016 SP1