Microsoft Identity Manager (MIM) 2016 is built on the identity and access management capabilities of FIM 2010 R2. Like its predecessor, MIM helps us manage the users, credentials, policies, and access within your organization. Additionally, MIM 2016 adds a hybrid experience, privileged access management capabilities, and support for new platforms.
User profile Synchronization in versions before SharePoint 2016 relied on an inbuilt ForeFront Identity Manager (FIM) which ran inside SharePoint Server. However in SharePoint Server 2016, FIM has been removed. User profile Synchronization will be done by Microsoft Identity Manager, which will act as the successor to the FIM. MIM will reside in a separate server other than the SharePoint 2016 Server. So if we already have an MIM Server we can leverage it and use it with SharePoint 2016.
Download Microsoft Identity Manager SP1
MIM 2016 installation involved installation of separate hotfix to complete the installation successfully, however MIM 2016 SP1 comes with the hotfix inbuilt which makes the installation of MIM easier. Before getting started with the installation procedure let's download the setup file from the evaluation centre. This is fully functional 180 day trial version. We can also download the production ready version directly from Microsoft Volume Licensing Center. Once we have downloaded and installed MIM SP1 we will have to run a solution file that will snchronize MIM with SharePoint which is available in Github. However it has a rather silly error that prevents it from running to completion as it was created for MIM and not MIM SP1. If we run the script without changes we will get the below error.
The error states that SharePoint Sync requires 4.3.2064 or greater. However if we check, we can see that the installed version of Forefront Synchronization Service Manager is already 4.4.1302 in MIM SP1. Let's see what we can do to resolve it.
Install the solution files for SharePoint Synchronization
We can download the entire solution files which we will use to set up SharePoint Synchronization from here. We can get the entire files as a zip by going to the root location.
The downloaded zip file will contain the folder ‘USerProfile.MIMSync’ that contains all the solution files.
The solutions scripts from ‘UserProfile.MIMSync’ has been copied to the working directory,
Rectify Error in the Synchronization Script
SharePointSync.psm1 module contains set of PowerShell commandlets to set-up Microsoft Identity Manager sync engine with SharePoint and to kick off sync on-demand. However the script was written for MIM 2016 and needs some code correction for it to work with the latest MIM 2016 SP1.
Install the solution files for SharePoint Synchronization
We can download the entire solution files which we will use to set up SharePoint Synchronization from here. We can get the entire file as a zip by going to the root location.
The downloaded zip file will contain the folder ‘USerProfile.MIMSync’ that contains all the solution files.
The solutions scripts from ‘UserProfile.MIMSync’ has been copied to the working directory,
Rectify Error in the Synchronization Script
SharePointSync.psm1 module contains a set of PowerShell commandlets to set-up Microsoft Identity Manager sync engine with SharePoint and to kick off sync on-demand. However the script was written for MIM 2016 and need some code correction for it to work with the latest MIM 2016 SP1.If we run the script without changes we will get the below error.
The error states that SharePoint Sync requires 4.3.2064 or greater. However if we check, we can see that the installed version of Forefront Synchronization Service Manager is already 4.4.1302.
The error is caused because of an If/Else block, which was aimed at the first version of MIM 2016, in SharePointSync.psm1.To rectify the error, open SharePointSync.psm1.
We will replace the code block 79-89 with the below set of code block so that it works with MIM 2016 SP1 as well.
Corrected Code
- $MimPowerShellModuleAssembly = Get - Item - Path(Join - Path(Get - SynchronizationServicePath) UIShell\ Microsoft.DirectoryServices.MetadirectoryServices.Config.dll)
- if ($MimPowerShellModuleAssembly.VersionInfo.ProductMajorPart - eq 4 - and $MimPowerShellModuleAssembly.VersionInfo.ProductMinorPart - eq 4 - and $MimPowerShellModuleAssembly.VersionInfo.ProductBuildPart - ge 1237) {
- Write - Verbose "Sufficient MIM PowerShell version detected (>= 4.4.1237): $($MimPowerShellModuleAssembly.VersionInfo.ProductVersion)"
- } else {
- throw "SharePoint Sync requires MIM PowerShell version 4.4.1237 or greater (this version is currently installed: $($MimPowerShellModuleAssembly.VersionInfo.ProductVersion). Please install the latest MIM hotfix."
- }
Get configuration values for SharePoint Synchronization script
To enable SharePoint Synchronization we will be running the SharePointMIMSync.ps1 file in the MIM Server. Before running it we will have to update the script with our environment variables.
We will need ‘OrganizationalUnit’ and ‘ForestDnsName’ parameters which will have to be updated in the script. We can get the organizational unit by running the below command. The ‘distinguished name’ (DC=AzureAD,DC=Contoso,DC=com) will correspond to the Organizational Unit.
- Get-ADComputer $env:COMPUTERNAME | Get-ADPrincipalGroupMembership
We can get the AD forest name by running the below command.
- Get-ADForest
Before running the synchronization script ensure that the below ‘Set-ExecutionPolicy’ script has been run, else we may get the error ‘File is not digitally signed’.
- Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Run SharePoint Synchronization script
Now we are ready to run the SharePoint Sync Script. The running of the script involves two steps:
- Import SharePointSync Module
- Run ‘Install-SharePointSyncConfiguration’ Command
After navigating to the directory where the script is present, let’s load the SharePointSync.psm1 module as below:
- Import-Module .\SharePointSync.psm1
Now, we can finally run the ‘Install-SharePointSyncConfiguration’ command which will enable MIM Synchronization with SharePoint. It needs the below parameters to be filled.
- -Path
Location where the sync script is located
- -ForestDnsName
AzureAD.Contoso.com(we got this earlier by running Get-ADForest command)
- -ForestCredential
Account that will be used to read objects from Active Directory. This account must have Replicate-Directory-Changes permissions in the Active Directory that is to be synchronized. We are using an AD administrator account here.
- -OrganizationalUnit
This is the distinguished name of the Active Directory container to be synchronized.We can get it by running the command “Get-ADComputer $env:COMPUTERNAME | Get-ADPrincipalGroupMembership”
- -SharePointUrl
SharePoint Central Admin URL
- -SharePointCredential
SharePoint Farm Account
The below synchronization script can be saved to a PS1 file say ‘SharePointMIMSync.ps1’ and we can run it from the console as ‘.\ SharePointMIMSync.ps1’
- $MIMSyncAccount = Get-Credential -UserName "AzureAD\AzureADAdmin" -Message "MIM Sync Account"
- $SPFarmAccount = Get-Credential -UserName "AzureAD\SPFarmAccount" -Message "SP Farm Admin"
- Install-SharePointSyncConfiguration -Path C:\SharePointMIMSync -ForestDnsName AzureAD.Contoso.com -ForestCredential $MIMSyncAccount -OrganizationalUnit "DC=AzureAD,DC=Contoso,DC=com" -SharePointUrl http:
On running the synchronization script, it will ask for Sync Account which we can input as shown below.
It will also ask for the SharePoint Farm account which we can enter and click on OK.
This will complete the SharePoint Synchronization configuration and we will get the below message. It has specifically said that before we start the synchronization, we should set the AD account password in the AD connector which we will see in the coming section.
Run Synchronization Service Manager
Now, we can start the synchronization service manager to start the Synchronization of User Profiles.
We can see two management agents in the Service Manager:
- ADMA - Active Directory Management Agent
- SPMA - SharePoint Management Agent
Click on ADMA and go to ‘Connect to Active Directory Forest’ tab. Here, we have to specify the password for the SyncAccount that has Replicate-Directory-Changes permissions in the Active Directory.
Also, ensure that we have selected the AD partitions correctly so that synchronization runs correctly.
Before running the Synchronization command let's restart Forefront Identity Manager Service.
Finally, we can run the SharePoint Synchronization Service.
- Start-SharePointSync -Confirm:$false
It will perform the import of user profiles and we can see the success and details in the service manager as shown below.
Summary
Thus, we saw how to rectify the error in the solution to synchronize Microsoft Identity Manager 2016 SP1 with SharePoint Server 2016.