Microsoft Identity Manager (MIM) 2016 is built on the identity and access management capabilities of FIM 2010 R2. Like its predecessor, MIM helps us to manage the users, credentials, policies and access within your organization. Additionally, MIM 2016 adds a hybrid experience, privileged access management capabilities and support for the new platforms.
User profile synchronization in versions prior to SharePoint 2016 relied on an inbuilt ForeFront Identity Manager (FIM), which ran inside SharePoint Server. However in SharePoint Server 2016, FIM has been removed. User profile synchronization will be done by Microsoft Identity Manager, which will act as the successor to FIM. MIM will reside in a separate Server other than the SharePoint 2016 Server. Thus, if we already have MIM Server, we can leverage it and use it with SharePoint 2016.
Download Microsoft Identity Manager SP1
MIM 2016 installation involved installation of separate hotfix to complete the installation successfully, however MIM 2016 SP1 comes with the inbuilt hotfix, which makes the installation of MIM easier. Before getting started with the installation procedure, let's download the setup file from the evaluation center. This is fully functional 180 day trial version. We can also download the production ready version directly from Microsoft Volume Licensing Center.
Create an Identity Manager Synchronization account
We will need a domain account under which Microsoft Identity Manager Synchronization Service will run. Thus, let’s create an account for this purpose. We will have to specify this account during the installation. We will name it MIM Service.
Install Identity Manager
From the downloaded installation media, go to Synchronization Service folder path and run the setup.exe file.
This will start Identity Manager Synchronization Service Setup Wizard.
Accept the license agreement and proceed.
Select Microsoft Identity Manager Synchronization and click Next.
The next screen in the wizard will ask you to supply some information about the instance of SQL Server, which we want MIM to use. Choose This Computer, if SQL Server is local or type the name of the remote SQL Server instance. We are installing MIM Server in SQL Server, so we will go with the configuration given below.
If we are installing MIM to a remote instance of SQL Server, SQL Server Native client must already be installed on MIM Server before installing MIM Synchronization Service.
In the next screen, specify the Service Account credentials, which we created earlier under which Identity Manager Synchronization Service will run.
Now, we have to set up the security groups, which are required for MIM to function. We can leave it with the default values.
It is recommended to keep the firewall rule checkbox unchecked.
Click Next to proceed with the installation.
We will get a warning, as shown below. Click OK to proceed.
We will be asked to back up the keys generated at this point as they will be required when we move to a different database Server. Click OK.
Specify the key name and click Save.
Thus, we are done with installing MIM 2016 in the server.
Restart the system, so that the security group membership comes to effect.
Forefront Identity Manager Connector for SharePoint
Now, we have to install Forefront Identity Manager Connector for SharePoint, which will be used to connect MIM to SharePoint 2016. It is commonly called SharePoint Management Agent (SPMA), which we can download here.
Once the executable has been downloaded, proceed with the installation, using SharePoint Connector Setup Wizard.
Click Install to start the installation process.
After some time, SharePoint Connector installation will be complete.
To complete SharePoint Connector installation, we can restart Forefront Identity Manger Service from Services.msc.
No need for Hotfix Update
MIM 2016 requires the installation of a hotfix to complete the installation procedure. MIM 2016 SP1 already includes the hotfix, which we had to install after MIM 2016 installation. Since we have installed MIM 2016 SP1, the hotfix has already been applied.
Configure Synchronization Settings
In order to enable User Profile Synchronization, using MIM, we have to set up synchronization settings.
Select Enable External Identity Manager and click OK.
Install the solution files for SharePoint Synchronization
We can download the entire solution files, which we will use to set up SharePoint Synchronization here. We can get the entire files as a zip by going to the root location.
The downloaded zip file will contain the folder USerProfile.MIMSync, which contains all the solution files.
The solutions scripts from UserProfile.MIMSync have been copied to the working directory.
Rectify an error in the Synchronization script
SharePointSync.psm1 module contains a set of PowerShell commandlets to set-up Microsoft Identity Manager sync engine with SharePoint and to kick off sync on-demand. However, the script was written for MIM 2016 and need some code correction for it to work with the latest MIM 2016 SP1. If we run the script without the changes, we will get the error, as shown below.
The error states that SharePoint Sync requires 4.3.2064 or greater. However, if we check, we can see that the installed version of Forefront Synchronization Service Manager is already 4.4.1302.
The error is caused because of an If/Else block, which was aimed at the first version of MIM 2016 in SharePointSync.psm1.To rectify the error, open SharePointSync.psm1.
We will replace the code block 79-89 with the set of code block given below, so that it works with MIM 2016 SP1 as well.
Corrected Code
- $MimPowerShellModuleAssembly = Get - Item - Path(Join - Path(Get - SynchronizationServicePath) UIShell\ Microsoft.DirectoryServices.MetadirectoryServices.Config.dll)
- if ($MimPowerShellModuleAssembly.VersionInfo.ProductMajorPart - eq 4 - and $MimPowerShellModuleAssembly.VersionInfo.ProductMinorPart - eq 4 - and $MimPowerShellModuleAssembly.VersionInfo.ProductBuildPart - ge 1237) {
- Write - Verbose "Sufficient MIM PowerShell version detected (>= 4.4.1237): $($MimPowerShellModuleAssembly.VersionInfo.ProductVersion)"
- } else {
- throw "SharePoint Sync requires MIM PowerShell version 4.4.1237 or greater (this version is currently installed: $($MimPowerShellModuleAssembly.VersionInfo.ProductVersion). Please install the latest MIM hotfix."
- }
Get configuration values for SharePoint Synchronization script
To enable SharePoint Synchronization, we will be running the SharePointMIMSync.ps1 file in MIM Server. Prior to running it, we will have to update the script with our environment variables.
We will need OrganizationalUnit and ForestDnsName parameters, which will have to be updated in the script. We can get the organizational unit by running the command given below. The distinguished name (DC=AzureAD,DC=Contoso,DC=com) will correspond to the Organizational Unit.
- Get-ADComputer $env:COMPUTERNAME | Get-ADPrincipalGroupMembership
We can get AD forest name by running the command given below.
Prior to running the Synchronization script, ensure that Set-ExecutionPolicy script given below has been run, else we may get the error File is not digitally signed.
- Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Run SharePoint Synchronization script
Now, we are ready to run SharePoint Sync Script. The running of the script involves two steps, which are given below.
- Import SharePointSync Module
- Run ‘Install-SharePointSyncConfiguration’ Command
After navigating to the directory, where the script is present, let’s load SharePointSync.psm1 module, as given below.
- Import-Module .\SharePointSync.psm1
Now, we can finally run the ‘Install-SharePointSyncConfiguration’ command, which will enable MIM Synchronization with SharePoint. It needs the parameters given below to be filled.
- -Path - Location where the sync script is located.
- -ForestDnsName - AzureAD.Contoso.com (we got this earlier by running Get-ADForest command).
- -ForestCredential - Account that will be used to read objects from Active Directory. This account must have Replicate-Directory-Changes permissions in the Active Directory that is to be synchronized. We are using an AD administrator account here.
- -OrganizationalUnit - This is the distinguished name of the Active Directory container to be synchronized.We can get it by running the command “Get-ADComputer $env - COMPUTERNAME | Get-ADPrincipalGroupMembership”.
- -SharePointUrl - SharePoint Central Admin URL
- -SharePointCredential - SharePoint Farm Account.
Synchronization Script given below can be saved to a PS1 file say ‘SharePointMIMSync.ps1’ and we can run it from the console as ‘.\ SharePointMIMSync.ps1’.
- $MIMSyncAccount = Get-Credential -UserName "AzureAD\AzureADAdmin" -Message "MIM Sync Account"
- $SPFarmAccount = Get-Credential -UserName "AzureAD\SPFarmAccount" -Message "SP Farm Admin"
- Install-SharePointSyncConfiguration -Path C:\SharePointMIMSync -ForestDnsName AzureAD.Contoso.com -ForestCredential $MIMSyncAccount -OrganizationalUnit "DC=AzureAD,DC=Contoso,DC=com" -SharePointUrl http:
On running Synchronization Script, it will ask for Sync Account, which we can input, as shown below.
It will also ask for SharePoint Farm account, which we can enter and click OK.
This will complete SharePoint Synchronization configuration and we will get the message given below. It has specifically said that before we start the synchronization, we should set the AD account password in the AD connector, which we will see in the coming section.
Run Synchronization Service Manager
Now, we can start Synchronization Service Manager to start the Synchronization of User Profiles.
We can see two management agents in Service Manager, which are given below.
- ADMA
Active Directory Management Agent.
- SPMA
SharePoint Management Agent.
Click ADMA and go to Connect to Active Directory Forest tab. Here, we have to specify the password for the SyncAccount that has Replicate-Directory-Changes permissions in Active Directory.
Also, ensure that we have selected AD partitions correctly, so that synchronization runs correctly.
Before running synchronization command, let's restart Forefront Identity Manager Service.
Finally, we can run SharePoint Synchronization Service.
- Start-SharePointSync -Confirm:$false
It will perform the import of user profiles and we can see the success and details in Service Manager, as shown below.
Summary
Thus, we saw how to install and configure Microsoft Identity Manager 2016 SP1 for SharePoint Server 2016.