MIM Sync Service Account IE Security Settings
If you use PowerShell extensively you should be familiar with the Invoke-RestMethod cmdlet and the ability for PowerShell to call API’s and receive information. The great thing about Invoke-RestMethod is the inbuilt conversion of the results to PowerShell Objects. However there are times when you need the raw response (probably because you are trying to bend things in directions they aren’t supposed to be; story of many of my integrations).
From within Granfeldt PowerShell Management Agent script(s) that use Invoke-WebRequest calls, these will in turn leverage the Internet Explorer COM API on the local machine. That means the account that is performing those tasks will need to have the necessary permissions / Internet Explorer configuration to do so.
Logon to your Microsoft Identity Manager Synchronization Server using the Service Account associated with the Forefront Identity Manager Synchronization Service. If you’ve secured the service account properly you will need to temporarily allow that service account to Log on Locally.
Open Internet Explorer and open Internet Options. Select the Security Tab, the Internet zone and select Custom Level.
Locate the Scripting section and set Active scripting to Enable. Set the Allow websites to prompt for information using scripted windows to Disable. Select Ok and Ok.
With the configuration completed, go back and change back the Forefront Identity Manager Service Accounts’ local permissions so it can’t logon locally.
Your Import / Export Granfeldt PowerShell Management Agent Scripts can now use Invoke-WebRequest where the requests/responses use the Internet Explorer COM API and respect the Internet Explorer security settings for the user profile that the requests are being made by.
Hopefully this helps someone else that is wondering why the scripts that work standalone fail when operating under the FIM/MIM Sync Service Account by the Granfeldt PowerShell Management Agent.
If you've ever needed to debug a Microsoft Entra (Azure AD) authentication flow, you'll know…
It’s 2026 and somehow I keep finding myself back in 2016, integrating heritage applications into…
I’ve just published an MCP server that turns Merill & Joshua’s weekly Entra News newsletter…
If you've ever worked with the ECMA2Host for Entra Outbound Provisioning you'll be immediately presented…
For over a decade, the Granfeldt PowerShell Management Agent (PSMA) has been the bedrock for…
Recently under the experimental Azure Functions build Microsoft Developer Advocates have shown enabling Azure Functions…
This website uses cookies.