In my last post I detailed how to configure the Granfeldt PowerShell Management Agent as an ECMA2 connector with the Entra ID Provisioning Service. This post details a few tips for configuring and developing solutions that use ECMA2 connectors.

Microsoft Identity Manager Management Agent Configuration Methods Comparison

First though here is a table of configuration items and a comparison between the MIM Sync Service, MIM Portal & Service and Entra ID Provisioning with ECMA connectors. This will help you to know where you need to perform configuration tasks.
*Note*: this also tested my memory as I haven’t done much with MIM in ~5years.

Configuration Item	Classic Configuration (MIM Sync Service Only)	MIM Portal & Service Configuration	Entra ID Provisioning Service with ECMA Connector
Configuration Interface	Synchronization Service Manager UI	MIM Portal web interface	Provisioning configuration of your Entra ID Application and the ECMA Configuration Tool on your Connector Agent Host
Management Agents Creation	Created manually through the Synchronization Service Manager	Created through MIM Portal using Management Policy Rules (MPRs)	Either in MIM and export to then Import via the ECMA Host Config Wizard, or create directly with the ECMA Host Config Wizard
Schema Management	Manual schema definition and mapping for connected systems (metaverse and connector space) in Sync Service	Schema management for MIM Portal objects; connected systems schema still configured in Sync Service	Provisioning configuration of your Entra ID Application (Mappings)
Run Profiles	Manually configured in Sync Service Manager (import, export, delta, full sync, etc.)	Still configured in Sync Service Manager, with additional workflow triggers through MIM Service	Options for Imports (Delta & Full) and Exports on the ECMA Connector configuration using the ECMA Host Config Wizard
Join/Projection Rules	Manually configured through join and projection rules UI	Configured through synchronization rules in the portal	Provisioning configuration of your Entra ID Application (Mappings)
Attribute Flow Configuration	Manually configured through attribute flow UI; requires custom .NET extensions (C#, VB.NET) for complex transformations	Defined through synchronization rules with built-in transformation options including: Direct, Constant, Expression, Rule-based, Composite/Multiple attributes, Distinguished Name, and Boolean expressions. Includes options for flowing/not flowing NULL values	Provisioning configuration of your Entra ID Application (Mappings)
Deprovisioning Rules	Manually configured through deprovisioning UI	Handled through synchronization and workflow policies	On the ECMA Connector configuration using the ECMA Host Config Wizard under Deprovisioning. Works in conjunction with the Entra ID Account status (Enabled/Disabled/Deleted)
Scoping Filters	Manual configuration of connector/scoping filters in Sync Service	Policy-based filtering defined in portal, underlying scoping filters still in Sync Service	Provisioning configuration of your Entra ID Application (Scoping Filter)
Extension Configuration	Direct coding in C# or other .NET languages for various extensions	Extensible through workflows and custom activities	Your ECMA Connector logic
Password Management	Requires PCNS (Password Change Notification Service) for password synchronization	Requires PCNS for password synchronization; adds enhanced password management with self-service	Password Sync not available. Provisioning initial password is supported
Administrative Access	Administrative permissions controlled by Windows/Active Directory Groups	Role-based access control through the MIM Portal, still based on Windows/Active Directory Groups but with more granular permission options	Entra ID Application Administrator Role
Approval Workflows	No native workflow capabilities	Approval workflows including an Outlook client extension for approvals/denies without accessing the portal	Provided via Lifecycle Workflows or Power Platform extensions (e.g Logic Apps)
Audit Capabilities	Basic logging and reporting	Enhanced auditing and reporting capabilities	Entra ID Provisioning Logs. Windows Server Event Logs (for ECMA Host events)
Automation Capabilities	PowerShell and WMI interfaces	PowerShell, REST API	Entra ID Provisioning via Microsoft Graph.
Scalability	Limited by single server architecture (only one active Sync Service server allowed)	Can deploy multiple Portal/Service servers for improved front-end scalability, but still limited by single active Sync Service server dependency	Similar to MIM Sync Service with a single Active Connector Host (see High-Availability below)
Provisioning / Deprovisioning Configuration	Requires writing Provisioning Extensions in .NET (C#, VB.NET)	Handled through synchronization rules and workflow policies	Provisioning: Entra ID Application assignment (direct or via group membership) Deprovisioning: Entra ID account status & ECMA Connector Deprov configuration
Deployment Complexity	Relatively simpler deployment once the Management Agent/Connector is built.	More complex deployment with additional components	Similar to MIM Sync
Self-Service Capabilities	None	Comprehensive self-service portal for users and groups management, plus Self-Service Password Reset (SSPR)	None

Updating the Schema for your Connector/Connected System

• If you change the schema configuration for your system or connector (schema.ps1 for the Granfeldt PSMA) edit the configuration of the ECMA Connector on the Connector Agent Host
  • Change a say the path to the schema.ps1 then change it back. This then enables the save button which will allow the system to trigger a refresh of the schema.ps1 script and your changes

Import Frequency

The ECMA Connector Configuration UI has a minimum time of 120 mins for import run cycles. During Development this is too slow for changes/testing/debugging. Change it from 120 to something like 10mins so you can see your changes more quickly in the Event Log (see next tip).
As the UI won’t let you change it to less than 120 mins edit the configuration.xml file as described below. Make sure you close the ECMA Config tool first. Next time you use the ECMA Config tool, the UI will generate a pop-up error. Just ignore it.
a. Change the time in the ECMA2Host Service Configuration
i. C:\Program Files\Microsoft ECMA2Host\Service\Configuration\configuration.xml
ii. Under <ECMAConfig>
<AutosyncTimer>10</AutosyncTimer>

To trigger a local import, you can also restart the ECMA2 Service on your connector host.

ECMA2 Logging

Logs for the ECMA2 Connector Host and your connector (e.g. PSMA) is on the connector agent host under Event Viewer = > Applications and Services Logs => ECMA2Host. In your connector if you have enabled verbose logging, you will see the objects and their values being imported in the Event Log. This is handy for ensuring you have your schema and import configurations correct.

Connectivity Errors from Entra ID Provisioning to ECMA

I’ve seen a few times when the ECMA Provisioning Host is also running Entra Cloud Sync and the certificate for the ECMA Connector somehow switched to a different certificate. That causes the Entra ID Application Provisioning to go into quarantine as connectivity was lost. Running the TestECMA2HostConnection script (under the ECMA2Host Troubleshooting directory) will validate if everything is configured and working correctly on the ECMA Agent Host and its configuration. The screenshot below is from an instance where the certificate was wrong. Generate a new certificate and save it (using the ECMA Config Wizard) and retest.

High availability

For on-premises apps using the ECMA connector: The recommendation is having one active agent and one passive agent (configured, but stopped, not assigned to the enterprise app in Microsoft Entra) per data center.

Unable to find Windows PowerShell 5.1 libraries

I’ve seen the following a few times and I think it was due to the actual Windows Server and other roles it was performing but adding it here in case anyone else experiences it.

Error: Unable to find Windows PowerShell 5.1 libraries under C:\Program Files\Microsoft ECMA2Host\Service\ECMA\Cache\<yourConnectorname> or C:\Program Files\Microsoft ECMA2Host\Service\ECMA

Find the following three DLLs under C:\Windows\WinSxS and copy them over to the directory mentioned in the error message.
You’re probably doing something daft like running the ECMA2Host on a Domain Controller.

• System.Management.Automation.resources.dll
• Microsoft.PowerShell.Security.resources.dll
• Microsoft.WSMan.Management.resources.dll

Summary

Hopefully these tips help anyone else getting up to speed with implementing ECMA connectors with the Entra ID Provisioning Service.