Articles on this Page
- 11/03/15--06:52: _UserAcccountControl...
- 11/03/15--12:08: _Deployment question...
- 11/04/15--21:51: _Condition based MVE...
- 11/05/15--04:13: _Is full import requ...
- 11/05/15--18:30: _Change FIM SSPR Q&A...
- 11/06/15--00:20: _Is it possible to p...
- 11/06/15--01:32: _unable to connect t...
- 11/06/15--02:59: _Is it possible to d...
- 11/06/15--05:45: _integrate FIM 2010 ...
- 11/06/15--10:53: _MIM 2016 Certificat...
- 11/06/15--17:03: _Create a custom man...
- 11/08/15--00:52: _ADFS for Oracle Tal...
- 11/08/15--13:47: _FIM Ninjas needed! ...
- 11/09/15--07:03: _Classic Rule Extens...
- 11/09/15--18:39: _MIM 2016 Phone Gate...
- 11/09/15--21:54: _Enable lync user us...
- 11/10/15--04:58: _Error using PowerSh...
- 11/10/15--09:47: _powershell import-f...
- 11/10/15--18:50: _MIM 2016 future?
- 11/11/15--06:59: _MIM 2016 Deployment
- 11/04/15--21:51: Condition based MVExtension Provision in FIM
- 11/05/15--18:30: Change FIM SSPR Q&A to FIM SSPR OTP SMS/Email
- 11/06/15--05:45: integrate FIM 2010 SSPR ot sms with sms gateway provider
- 11/06/15--10:53: MIM 2016 Certificate Management deployment guide?
- 11/06/15--17:03: Create a custom management agent by using FIM or MIM
- 11/08/15--00:52: ADFS for Oracle Taleo and Office 365
- 11/08/15--13:47: FIM Ninjas needed! Application details within.
- 11/09/15--18:39: MIM 2016 Phone Gate questions
- Does someone spell out the OTP?
- Are there only a few Phone providers this works with?
- or does it only tell you "Press the # key now to proceed"?
- or is this Phone Provider an Azure-only service that we have to pay for?
- 11/09/15--21:54: Enable lync user using FIM 2010
- 11/10/15--04:58: Error using PowerShell MA (Soren Granfeldt)
- 11/10/15--18:50: MIM 2016 future?
- 11/11/15--06:59: MIM 2016 Deployment
I am doing a One-Way sync into multiple customer forests from my MIM Forest. This allows engineers to log into Customer forests using their corporate credentials.
I have been using the two below custom expressions for my attribute flow of userAccountControl to either Enable \ Disable an account. It is working, but I realized I need to also flow "passwordNeverExpires" into userAccountcontrol.
IIF(Eq(employeeStatus,"Enabled"),512,514) (Initial Flow Only)
I need assistance figuring out the NEW custom expression to allow Enable\Disable with passwordNeverExpires always set. The initial flow custom expression below works. But I can't figure out the right value and bit operations 2nd customer expression that executes every cycle?
66048 is a normal account with the flag set for Password never expires
66050 is a normal disabled account with the flag set for Password never expires
I need assistance figuring out the NEW custom expression. The initial flow custom expression works. But I can't figure out the expression (highlighted) right values and bit operations 2nd customer expression that executes every cycle? Any asistenace is appreciated.
IIF(Eq(employeeStatus,"Enabled"),66048,66050) (Initial Flow Only)
My scenario is a one way synch from the MIM resource forest where all user accounts exist and over time we will deploy AD MA's to more than 75 customer forests to sync accounts and passwords. This will take an extended period deploying and integrating all the MA's.
In my one way sync rules I have a default password set on initial flow to unicodePWD and 0 to pwdLastSet.
My user JGreen changes his password today and it flows to the current 5 outbound ADMA's.
Tomorrow, I deploy and integrate a new ADMA to another customer forest and run initial sync's. The JGreen account is created in the new forest using the default password.
Is there any cache that allows for the recently changed password to flow to the new account?
Or, I assume there correct answer is that I must wait for JGreen's next password change to occur so it is captured by the PCNS service and forwarded to FIM.
We are using Code based provisioning(MVExtension) in FIM Sync for provisioning users from FIM to Target MAs. We have one Source MA and two target MAs.
Based on some condition, we have to provision the users to targets. For example, if 'boolAttribute'(customAttribute) of a user is 'false' then we have to provision that user from FIM to TargetMA1 but not to TargetMA2. This we are handling in MVExtension by putting check on boolAttribute and it is working fine. But for the same user, if boolAttribute changes to 'true' this should get provisioned to TargetMA2. How can we achieve this.
Thanks & Regards
Have a problem, 2 environments behave differently:
1. FIM version 4.1.3441.0 - seems that after adding a container to the MA scope (containers) delta import doesn't add it, it require full import
2. FIM version 4.1.3634.0 - here the delta import adds the newly added containers
I've included the version numbers because I assume that this was added in some newer version, however I'm not sure hence I wanted to ask here about this.
We currently have FIM SSPR deployed using the Question & Answer format.
We would like to change this to the FIM SSPR OTP SMS or Email method.
What is involved in this?
Should we simply uninstall the SSPR Q&A Portals and clean up the SSPR Workflows?
and then redeploy FIM SSPR, configure all users to auto-register for SSPR, integrate FIM SSPR with a SMS gateway (or an external email address) for the OTP delivery?
Well, is it?
We have installed FIM Reporting and amazingly data seems to be transferred from FIM to the Warehouse... and even more amazingly said data is visible in a FIMUserHistory report generated on the SQL server RS.
Now the mechanics are there, customer asks when a change is visible in the report? d'oh.
We have an incremental Reporting job running 24/7 every 8 hours at 00:00 08:00 and 16:00
We seem to have Datawarehouse extract jobs running 24/7 every 5 minutes.
My (customer's) question is.. if a FIM user is modified at 6am when is that change visible in a FIMUserHistory report?
I am working SmsServiceProvider.dll to send an sms otp in FIM server
When I gave my sms vendor url in SmsServiceProvider dll. I got the Inner exception as follows:
System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it xx.x.xxx.xx:xx
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)
Same url when I use with a console application it is sending the sms. Please help me out for any solution or a workaround.
Remember Past Challenge Future"
I have the question as in the title, need to limit the attribute list in UocFilterBuilder. Thought that this could be done by a filter permissions, however, filter permission is validated only after a request is submitted and I need a 'readable' filter builder on the GUI with only a limited set of attributes.
Was able to change that in the FilterBuilder.js however I don't like this solution and it has a lot of limitations.
Is there any way to accomplish this ? What are the alternatives ?
I thought about developing a simple control, but probably I could not integrate it with default FIM ccreate group screen, but would need to build the whole screen from scratch...and that's an overkill.
i need to integrate FIM 2010 SSPR fonctionality with SMS gatewaya provider ,
i tryed the Micrsoft Cade but no result .
Any one can help me.?
I've managed to get MIM 2016 installed and connected to AD. Things seems to be working good *knock on wood*. I'm now looking at installing the CM feature however there seems to be some lack of documentation for MIM 2016. I've tried following the 2010 deployment guide, however there are differences, especially when it comes to extending the Schema.
Is there anything that can shed light on this setup? This is my first Identity Management install, so total noob here.
We are very new to FIM/MIM, but hereby a scenario we wanted to deploy in our environment.
User Forest A - Exch2007
User Forest B - Exch2010
Resource Forest - Skype for Business 2015
We want to synchronize user from user forest A and B to Resource Forest as a disabled user and enable Skype for Business.
I've check on Technet, the statement as below
If you do not have Microsoft Exchange Server deployed in your resource topology, or Microsoft Exchange Server is deployed in a separate forest, then you must create a custom management agent by using Microsoft Forefront Identity Manager 2010 or Microsoft Identity Lifecycle Manager 2007 FP1 to synchronize the user accounts from the different forests as disabled user accounts to the forest where Lync Server is deployed
Is there any one can provide some guide on "how to create a custom management agent by using FIM/MIM" for this scenario?
Thanks in advance!
I have an ADFS server configured currently to provide SSO fro Orable Taleo. Can i use the same server to provide SSO for Office 365?
If yes how can i configure Office 365 with the same ADFS server, will the configuration steps going to change or I simply follow the standard steps like we do for Office 365?
My ADFS server is on Windows Server 2012 R2, ADFS server version is 3.0
Senior Technical Consultant, MDS Computers
We need Wizards and warriors, of words and wisdom. Come forth, oh mighty techno-scribbler! Pass your knowledge to others! Show us what you know and let others learn from your journey.
Soon you may become a member of the Technet Wiki Ninjas, and can quickly grow and get promoted within our ranks!
All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.
Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!
This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!
HOW TO WIN
1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.
2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.
If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!
Winning this award in your favoured technology will help us learn the active members in each community.
Feel free to ask any questions below.
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!
Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!
I'm importing groups from an external source using two tables, one containing department and person objects and another defining which people are a member of which groups (each person is only a member of one group)
The groups are fine, the MA successfully creates "Departments" in the metaverse, with person objects linked in as members, but what I would like to do now is take the department description and place it into the user's "department" attribute.
Is it possible to use a single import flow to make changes to multiple metaverse objects? If so, how?
So MIM ships with a Phone Gate, which enables user authentication via telephone call.
Does this mean we have to integrate MIM (write a DLL) with a Phone Provider in the same way as when we integrate FIM with a SMS Gateway (write a DLL)?
Also, what actually happens on this phone call?
I wanted to lync for a user when the user is provisioned in AD. I have FIM 2010 which is provisioning the users in AD.
Wanted suggestion on this,
1- I am planning to call powershell commandlets of lync in metverse extension when user is created in AD.
2- Use Powershell MA for lync enabling and disabling. Can any one provide me the sample scripts for schema etc for PSMA lync ?
please advise which is a better method ?
Any further suggestion ?
Iam trying to manage lync 2010 with powershell MA by Soren Granfeldt). I have downloaded the latest version and lync sample scripts. Installed it using the script Install-PowerShellManagementAgent.ps1 from powershell.
I can see the powershell MA under create new management agent but when i provide a name to the MA and click next get following error :
Synchronization Service Manager
Unable to retrieve configuration parameters from the extension: The extension could not be loaded.
After clicking ok , and providing the schema path , click next get following error
Synchronization Service Manager
<error>The extension could not be loaded.</error>
Also i dont see an option to uninstall from appwiz.cpl.
I am running a powershell to clear out a datetime attribute in FIM portal. When $import-fimconfig is called, it is throwing the error "Attribute with value does not conform to a valid date time format. Here is the powershell snip. $attributeValue =
$NULL. What am I missing?
$importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
$importChange.Operation = 2
$importChange.AttributeName = $attributeName
$importChange.AttributeValue = $attributeValue
$importChange.FullyResolved = 1
$importChange.Locale = "Invariant"
$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
$importObject.ObjectType = $objectType
$importObject.TargetObjectIdentifier = $objectID
$importObject.SourceObjectIdentifier = $objectID
$importObject.State = 1
$importObject.Changes = (,$importChange)
$importObject | Import-FIMConfig -uri $uri
We (and many customers) have seen the Microsoft road map for MIM 2016, which is to be replaced by AADConnect tool. AADConnect has no 'MIM Portal' equivalent; has no on-premise SSPR; has no Management Agents (other than AD and Azure). Not everyone is keen
on the Cloud.
So the future for AADConnect as an On-Premise tool is looking grim...and we have had quite a number of customer stop all FIM/MIM projects and investigate alternative methods; so much so that we are also looking at these other products, just to have employment.
We know of some massive organizations throwing FIM/MIM out of the equation, and looking at Oracle, Dell, etc.
In our humble opinion, Microsoft has not done enough to calm their partners down and paint an IDM future for On-Premise customers.
Does anyone have any other information? What are we to tell our customers? What is the true roadmap?
im deploying MIM 2016 and im following the deployment guide here.
i reached the point to create the MIMMA and in the Configure Object Type Mappings page for group i can't find the scope and type attribute under theData Source Attribute.