PowerShell 7 Support Arrives for the Granfeldt PowerShell Management Agent

For over a decade, the Granfeldt PowerShell Management Agent (PSMA) has been the bedrock for bespoke identity integration within Microsoft Identity Manager (MIM) and its predecessor, Forefront Identity Manager. It provides the essential bridge between the MIM Synchronisation Service and virtually any target system accessible via PowerShell. Like many others, my own portfolio of custom MAs is built upon Søren Granfeldt’s fundamental piece of work. Today, I’m proud to announce a significant update that future-proofs the PSMA and brings it into the modern era: the official addition of PowerShell 7 support.

Historically, the PSMA was tied to Windows PowerShell 5.x, the version shipped with Windows Server. While reliable, this dependency meant sacrificing the substantial advancements made in the open-source, cross-platform PowerShell 7 (now simply PowerShell). For a Management Agent, this often translated into slower execution times and the inability to use modern scripting capabilities.

The good news is that you can update to the latest version of the PSMA without immediately disrupting existing, stable implementations. PowerShell 7 support is enabled on a per-Management Agent basis, allowing for a controlled, phased rollout. When configuring MAs (and during schema validation), the agent continues to rely on Windows PowerShell 5.1 for backwards compatibility. However, when an Import, Export, or Password script excution is run, the script engine will switch to the modern PowerShell 7 runtime, but only if you have configured that specific Management Agent to do so. This design allows for parallel testing and a smooth transition.

PowerShell 7: The Performance Advantage

This update, which I contributed as Pull Request #28 to the official repository, is more than just a version bump; it is a fundamental performance uplift. PowerShell 7 is built on .NET Core (now simply .NET), a major departure from the older .NET Framework used by PS 5.1. This new foundation offers substantial gains in speed and memory efficiency.

One immediate benefit for management agents with a large number of managed identities is the ability to leverage parallel processing via ForEach-Object -Parallel rather the having to write complex parallel processing functions. This capability alone can drastically reduce sync cycle times, potentially turning multi-hour operations into minutes, particularly when interacting with backend systems that can handle concurrent connections.

Furthermore, the general performance of cmdlets has been optimised, and the overall memory footprint and startup time of PowerShell runspaces are demonstrably better in PS7. This leads to a leaner, faster, and more responsive MA execution environment, addressing some of the historical speed and memory constraints associated with complex PowerShell-based MAs

A Note on Credentials and Impersonation

It is important to note in this initial release, PowerShell 7 with impersonation is not supported. The underlying MIM Synchronization Service model relies on the older Windows PowerShell environment for impersonation capabilities.

However, this does not prevent you from connecting to external systems with different credentials. The PSMA already provides a robust mechanism for this: the primary and secondary credentials configured on the Management Agent’s connectivity tab are passed directly as parameters to your Import, Export and Password scripts. By using these credentials within your PSMA scripts to connect to your target system (via Invoke-RestMethod or specific module cmdlets), you can easily authenticate with the necessary permissions, allowing you to connect to systems with different (or multiple) credentials, regardless of the service account running the Synchronisation Service.

I want to thank Søren Granfeldt for his continued work on the PSMA and for merging this long requested capability. I encourage those of you sweating your FIM/MIM implementations or implementing Entra Provisioning Service ECMA Connectors with the Granfeldt PSMA to update and start exploring the vast potential of PowerShell 7 within your MIM and potentially still FIM identity environments.