Forefront / Microsoft Identity Manager does not come with an out-of-the-box management agent for managing SharePoint Online.
Whilst the DirSync/AADConnect solution will allow you to synchronise attributes from your On Premise Active Directory to AzureAD, SharePoint only leverages a handful of them. It then has its own set of attributes that it leverages. Many are similarly named to the standard Azure AD attributes but with the SPS- prefix.
For example, here is a list of SharePoint Online attributes and a couple of references to associated Azure AD attributes;
My customer has AADConnect in place that is synchronising their On Premise AD to Office 365. They also have a MIM 2016 instance that is managing user provisioning and lifecycle management. I’ll be using that MIM 2016 instance to manage SPO User Profile Attributes.
The remainder of this blog post describes the PS MA I’ve developed to manage the SPO attributes to allow their SPO Online Forms etc to leverage business and organisation user metadata.
In this blog post I detail how you can synchronise user attributes from your On Premise Active Directory to an associated users SharePoint Online user profile utilising Søren Granfeldt’s extremely versatile PowerShell Management Agent. Provisioning and licensing of users for SPO is performed in parallel by the DirSync/AADConnect solution. This solution just provides attribute synchronisation to SPO User Profile attributes.
In this solution I’m managing the attributes that are pertinent to the customer. If you need an additional attribute or you have created custom attributes it is easy enough to extent.
First up, you can get it from here. Søren’s documentation is pretty good but does assume you have a working knowledge of FIM/MIM and this blog post is no different.
Three items I had to work out that I’ll save you the pain of are;
In order to use this working example there are a couple of items to note;
As mentioned above I’m only syncing attributes pertinent to my customers’ requirements. That said I’ve selected a number of attributes that are potentials for future requirements.
Empty as described above
A key part of the import script is connecting to SPO and accessing the full User Profile. In order to do this, you will need to install the SharePoint Online Client Components SDK. It’s available for download here https://www.microsoft.com/en-us/download/details.aspx?id=42038
The import script then imports two libraries that give us access to the SPO User Profiles.
Import-Module
‘C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.UserProfiles.dll’
Import-Module
‘C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll’
Import values for attributes defined in the schema.
The business part of the MA. Basically enough to take attribute value changes from the MV to the SPO MA and export them to SPO. In the example script below I’m only exporting three attributes. Add as many as you need.
In order to wire the functionality together, I’m doing it just using the Sync Engine MA configuration as we’re relying on AADConnect to create the users in Office365, and we’re just flowing through attribute values.
Basically, create the PS MA, create your MA Run Profiles, import users and attributes from the PS MA, validate your joins and Export to update SPO attributes as per your flow rules.
As per the tips above, the format for the script paths must be without spaces etc. I’m using 8.3 format and I’m using the Office 365 account we gave permissions to manage user profiles in SPO earlier.
Password script must be specified but as we’re not doing password management it’s empty as detailed above.
If your schema.ps1 file is formatted correctly you can select your attributes.
I have a few join rules. In the pre-prod environment though I’m joining on WorkEmail => mail.
My import flow is just bringing back in users mobile numbers that users are able to modify in SPO. I’m exporting Title, Location and Department to SPO.
Using the Granfeldt PowerShell MA it was very easy to manage user SharePoint Online User Profile attributes.
Follow Darren on Twitter @darrenjrobinson
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.
View Comments
Thank you for the great article.
One question I had was if it is possible to run MIM on the same server where AAD Connect is running. I don't believe that would be possible but wanted to dbl check with you.
Thanks again for the great post.
Hey Eric,
Technically you could.
However if you needed support from MS for your AAD Connect implementation your implementation would deviate from standard known state.
We prefer the path of AAD Connect to do its thing.
Separate MIM Implementation to do all the extra logic (like O365 Licensing, SPO Profile, Password Reset etc.
Cheers,
DR
Hi Darren,
Does this require any customisation to what attributes are synced via AADSync. Are the attributes like Job Title that are synced from AD to Azure AD and then picked up by SharePoint not read only on the cloud side due to AADSync?
Does this solution allow users to edit these attributes on their profile page etc and pull them back into MIM/AD?
Thanks,
David
Hey David, this was used for attributes not automatically sync'd from users AzureAD account to SPO. Yes it can be used to sync back to OnPrem AD attributes users edit in SPO. We are doing that for phone numbers. DR