Hi,

When a request is submitted to FIM, it associates the matching MPRs to be run as part of that request. I wanted to understand how these MPRs are executed.

1. Are these executed sequentially or in parallel? And is there any way I can control the order in which the MPRs are executed for a request?

2. I understand the Authentication workflows in an MPR are executed one at a time, the authorization workflows in parallel and the action workflows also in parallel. Does FIM combine all the workflows from the MPRs of that request and execute? Or does it execute workflows in one MPR first and then move to workflows of next MPR?

Thanks in advance.

Hi All,

I have a custom attribute in my FIM Metaverse schema which also has attribute flows defined in the management agents. This attribute holds a value for all "Group" objects in MV.

I removed all the defined attribute flows configured for this custom attribute and deleted this attribute from Metaverse using "Remove an attribute" in "Metaverse Designer". I do not see this attribute in MV but want to know if this attribute along with its values gets completely deleted from Metaverse Schema or will the values still exist for the groups? The reason why I am asking this is it did not take much of time to delete the attribute from metaverse although this attribute had a value for ~180,000 groups.

Can someone confirm me this?

Thanks,

Veena

In  a single domain forest e.g. forest is myplace.local and domain is myplace.The customer has just one DC running the show.

What benefits are there to use the AD Domain Services agent over the AD LDS agent?

Hi Folks,

I am not sure if this is the correct forum category to post my query. I posted on Partners Community and they forward me to here as it's consulting case.

 http://partnersupport.microsoft.com/en-us/mpnonline/forum/mpnolazure-mpnolwinazure/identity-manager-limitations-and-compatibility/e0ebcfb0-c70e-4516-a83c-729ab275c80f?tm=1458819438569

and here too https://social.microsoft.com/Forums/partner/en-US/a68874e4-34fe-4009-b796-daff736867ff/identity-manager-limitations-and-compatibility?forum=technicalqueries

Anyway I hope this is the correct Forum :D

A customer with 600 users would like to have a centralizing authentication and access permission in other terms roles based authentication, single sign on.

Customer current production apps "in-house applications + IFS-ERP + Web Apps + Sharepoint 2016 as a document library "will be installed" + McAfee endpoint encryption for laptops owners "100 user".

Question 1 # What's the best solution for the customer needs MIM? or there's another Product/Cloud Servers.

Question 2 # Regarding the compatibility with 3rd party applications such as McAfee Endpoint Encryption is it compatible? and how can I tell if it's supported or not with his other 3rd party apps and web sites.

Question 3 # is their any MIM Client will be installed on the clients machines laptops or workstations? and if "YES" is there a limitation with the client OS version as a minimum requirements for clients? I checked this page https://technet.microsoft.com/en-us/library/mt613167.aspx but still I am not sure about the client side.

Question 4 # SharePoint 2016 supported or not for the MIM Portal and also to integrate with as a Document Library for the whole company to use.

Question 5 # what is the best solution for him on-prime or cloud? note customer internet connection microwave 10mb.

Question 6 and last # there's no hardware recommendations for MIM 2016 .. only FIM 2010 and only mentioned the Memory as Minimum 8GB. where I can get this info? for example disk space recommendations and CPU needs !

Hi all,

I was running an openLDAP MA in my FIM 4.0.2592.0, and it used to work well.

To solve a memory leak, I installed the hotfix 4.0.3644.2, but than I'm having a weird issue with my openLDAP MA.

I have a rule extension that uses the CSEntry "hierarchy" attribute, with the following rule :

mventry["departmentHierarchy"].Value = csentry["hierarchy"].Value;

This code used to work well before the hotfix, but now it can't see the csentry hierarcgy attribute (and it's present and valued for all my entries).

At the moment I don't have any clue to where to start looking, can someone please help me to find out what is happening?

Thanks in advance for all your help,

Marc

Hello All:

I worked with FIMOV tool to retrieve all the documentation of production environment, all worked fine, but when I try to get MA-DATA information I got "undefinitely issue" and the data doesnt load.

Someone takes the same issue? and knows how to fix it? Thanks

Regards

Hi,

In FIM, when I submit a Create request, it creates multiple FIM requests internally to process. Each request will have multiple MPRs
associated with it. I want to track the status of these requests and send the status back to the caller to display appropriate error message.
But the challenge is the MPRs are run in parallel. So how do I track the MPRs (or rather any failure in the activities) and collate the response from each and send to the caller so that in the caller I can decide if the request was successful or failure?

Basically I should be able to send any error in the activities to the caller. Since multiple activities will be running for each request, multiple responses received from activities for single request should be mapped to that request.

Hello,

So here is the setup

Only the AD and FIM MA are configured

FIM Portal Declarative Import rule from AD to FIM - with all the standard attributes including phone, mobile, office
FIM Portal Declarative Output rule from FIM to AD - with only phone, mobile, office

FIM MA configured with Import and Export attribute flows for phone, mobile, office
Export only for everything else

Equal precedence configured on phone, mobile and office in FIM Sync

Users will be created in AD outside of FIM

Users need to update their phone, mobile, office using the FIM Portal

What should my run sequence be?

After the initial Full Import loads I can't find an order that will get Delta Import/Delta Sync run profiles to reliably flow changes from the FIM Portal to AD

Ideally I want to capture everything from AD, provision to FIM Portal and then if there are changes in FIM Portal feed these back to AD. If either phone, mobile or office are updated in AD I am happy for the change to be lost... it should be done through the FIM Portal

A wonderful week of news and new technology advances from Build this week have filled our minds with new possiblilities!

So much to play with!

Can you help us document some of the new features coming out over the next year?

Do you have a good grasp on how we should now be doing that thing that we do?

Did you find a knowledge gap in the web for the new features now available?

This is a great chance to jump into the TechNet Guru competition and stamp your authority on your favoutrite subject.

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Below are February's mighty winners and contenders. We should have March's winners by about mid month.

BizTalk Technical Guru - February 2016

Forefront Identity Manager Technical Guru - February 2016

Microsoft Azure Technical Guru - February 2016

Miscellaneous Technical Guru - February 2016

SharePoint 2010 / 2013 Technical Guru - February 2016

Small Basic Technical Guru - February 2016

SQL BI and Power BI Technical Guru - February 2016

SQL Server General and Database Engine Technical Guru - February 2016

System Center Technical Guru - February 2016

Transact-SQL Technical Guru - February 2016

Universal Windows Apps Technical Guru - February 2016

Visual Basic Technical Guru - February 2016

Visual C# Technical Guru - February 2016

Wiki and Portals Technical Guru - February 2016

Windows PowerShell Technical Guru - February 2016

Windows Presentation Foundation (WPF) Technical Guru - February 2016

Windows Server Technical Guru - February 2016

Good luck!
Pete Laker

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

Hello,

Can someone confirm whether it is possible that end user can self unlock AD accounts in FIM 2010 R2 version 4.1.3613.0 ?

And what are the limitations associated with this?

Thank you in advance.

Regards,

Suman

I am calling a powershell activity using FIM WAL 2010 R2. The powershell works fine if I run it manually but if I call it via FIM WAL, it is throwing an error. what could be the reason. I have attached the powershell and error message.

function SendEmailNotification2
{
[System.Reflection.Assembly]::LoadFile("\\FIM\Portal-Sync-Scripts\notify\SignCreds\Cpi.Net.SecureMail.dll") | Out-Null
$objCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$objCert.Import('cer','pwd',)
[string]$strSmtpServer  = "SERVER"
[string]$strSmtpPort    = "PORT"
[string]$strFrom        = "from"
[string]$strFromAlias   = "name"
[string]$strTo          = $emailto
[string]$strToAlias     = $DisplayName
[String]$strSubject =   "sub"
[string]$strBody        = $strbody
$objEnc = $null
$objMail = New-Object Cpi.Net.SecureMail.SecureMailMessage
$objFrom = New-Object Cpi.Net.SecureMail.SecureMailAddress($strFrom,$strFromAlias,$objEnc,$objCert)
$objTo   = New-Object Cpi.Net.SecureMail.SecureMailAddress($strTo,$strToAlias)
$objMail.From = $objFrom
$objMail.to.Add($objTo)
$objMail.Subject = $strSubject
$objMail.Body = $strBody
$objMail.IsBodyHtml = $TRUE
$objMail.IsSigned = $TRUE
$objMail.IsEncrypted = $FALSE
$objSMTPClient = New-Object System.Net.Mail.SmtpClient($strSmtpServer,$strSmtpPort)
$objSMTPClient.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
$objSMTPClient.send($objMail)

}

Hi,

Getting my feet wet with the Granfeldt Powershell MA, what a great piece of kit.

One thing I can't figure out...:

When exporting, how can I get access to connectorspace attributes other than anchor and the changed attribute value?

Example: I need to use the attribute UserPrincipalName, but it is not the DN. $_.UserPrincipalName returns blank:

    $EmployeeId = $_.DN #expected value
    $UserPrincipalName = $_.UserPrincipalName #blank, wtf

Why? And how do I get hold of that value form the connectorspace?

I GOT $100.00 I8F ANYONE IS AROUND imperIAL BEACH AREA, I NEED HELP NOW I HAVE ALL OF THE LOGS AND EVENTS OPEN I H]JUST DONT KNOW WHAT IM DOING 5 MIN $100.00 PLEAS EHELP

We currently have FIM 2010 R2 GALSync working between a "Main" Forest (where the FIM server resides) and a "Second" forest. These are separate ADs from two different companies.

We are now looking to use GALSync to sync with a "Third" forest. We would like to sync All the GALs so Main, Second, and Third organizations have GALs that are synced.

When I add the Third MA, if I select the org unit that contains the cross-forest mail contacts that were synced from "Second" to "Main" will those mail contacts be synced over to "Third"? If not, how do I sync between "Second" and "Third"?

I am currently working on doing some implementations using the great Granfeldt Powershell MA. 

I have schema, import and export working, but face a problem with export when I want to use attributes in connectorspace to perform something, not just updating. Like for executing a powershell command, where I need both the userprincipalname and the location, or something like that.

I have created a simple example MA just for the purpose of testing this issue. It manages ContactInformation from a database (email, phone) and accepts the first and lastname back from the FIM metaverse from other source. I use the latest Powershell MA. 

The problem is in export.ps1 (shown later in this post), in the line that says...:

$ExternalEmail = $_.ExternalEmail

I would expect this value to be filled with the value from the connectorspace, but it is just blank. There is a value in there, this is not the first time it runs or anything like that. I see the same approach used in the Lync samples for Powershell MA, so I assume I am doing something wrong somewhere else.

Can you please help by telling me what I am doing wrong?

This is the pending export I test with:

Database: 

schema.ps1

$obj = New-Object -Type PSCustomObject
$obj | Add-Member -Type NoteProperty -Name "Anchor-EmployeeId|String" -Value "000000"
$obj | Add-Member -Type NoteProperty -Name "objectClass|String" -Value "user"
$obj | Add-Member -Type NoteProperty -Name "Phone|String" -Value "+99 9999999"
$obj | Add-Member -Type NoteProperty -Name "ExternalEmail|String" -Value "some@email.com"
$obj | Add-Member -Type NoteProperty -Name "LastName|String" -Value "firstname"
$obj | Add-Member -Type NoteProperty -Name "FirstName|String" -Value "lastname"
$obj | Add-Member -Type NoteProperty -Name "CreatedOn|String" -Value "2016-04-06 13:46"
$obj | Add-Member -Type NoteProperty -Name "ModifiedOn|String" -Value "2016-04-06 13:47"
$obj

import.ps1

param (
    $Username,
	$Password,
	$OperationType
    )

$DebugFilePath = "C:\PSMA\ContactInfo\ImportDebug.txt"
    if(!(Test-Path $DebugFilePath))
        {$DebugFile = New-Item -Path $DebugFilePath -ItemType File}
    else
        {$DebugFile = Get-Item -Path $DebugFilePath}"Starting Import : " + (Get-Date) | Out-File $DebugFile -Append

$ConnectionString = "Data Source=localhost;Initial Catalog=TestDatabase;Integrated Security=True";

$Connection = New-Object System.Data.SQLClient.SQLConnection
$Connection.ConnectionString = $ConnectionString
$Connection.Open()
$Command = New-Object System.Data.SQLClient.SQLCommand
$Command.Connection = $Connection

$SQL = "SELECT * FROM ContactInfo"

$Command.CommandText = $SQL

$Reader = $Command.ExecuteReader()

While ($Reader.Read())
{
    $obj = @{}

    $obj.Add("objectClass", "user")
    $obj.Add("EmployeeId", $Reader[“EmployeeId”])
    $obj.Add("Phone", $Reader[“Phone”])
    $obj.Add("ExternalEmail", $Reader[“ExternalEmail”])
    $obj.Add("FirstName", $Reader[“FirstName”])
    $obj.Add("LastName", $Reader[“LastName”])
    $obj.Add("ModifiedOn", $Reader[“ModifiedOn”].ToString("o"))
    $obj.Add("CreatedOn", $Reader[“CreatedOn”].ToString("o"))

    $obj
}

$Connection.Close()

export.ps1 (most of which is debug code)

param (
    $Username,
    $Password
    )

BEGIN
{
    #Writing Start tag in Debug File.
    $DebugFilePath = "C:\PSMA\ContactInfo\ExportDebug.txt"

    if(!(Test-Path $DebugFilePath))
        {$DebugFile = New-Item -Path $DebugFilePath -ItemType File}
    else
        {$DebugFile = Get-Item -Path $DebugFilePath}

    "Starting Export : " + (Get-Date) | Out-File $DebugFile -Append
}

PROCESS
{

	#Initialize Parameters
	$Identifier = $_.Identifier

	$EmployeeId = $_.DN
    $FirstName = $_.FirstName
    $ExternalEmail = $_.ExternalEmail

    "Firstname: '" + $Firstname + "' " + (Get-Date) | Out-File $DebugFile -Append"ExternalEmail: '" + $ExternalEmail + "' " + (Get-Date) | Out-File $DebugFile -Append

	$ErrorName = "success"
	$ErrorDetail = $null
	$date = Get-Date -Format "yyyy-MM-dd""Processing : " + $_.DN | Out-File $DebugFile -Append"No of Changes : " + $_.ChangedAttributeNames.Count | Out-File $DebugFile -Append

	#Loop through changes and update parameters
	foreach ($can in $_.ChangedAttributeNames)
		{# $can : ChangedAttributeName
		foreach ($ValueChange in $_.AttributeChanges[$can].ValueChanges)
			{
				if ( $can -eq 'FirstName' ){$FirstName = $ValueChange.Value}
				if ( $can -eq 'LastName' ){$LastName = $ValueChange.Value}
			}
		}

	"Firstname: '" + $Firstname + "' " + (Get-Date) | Out-File $DebugFile -Append #Now has a value, if the attribute changed"LastName: '" + $LastName + "' " + (Get-Date) | Out-File $DebugFile -Append #Now has a value if the attribute changed

	#Verify changetype.
	if ($_.ObjectModificationType -eq 'Add')
		{
			throw "Add modification are not supported"
		}

	if ($_.ObjectModificationType -eq 'Delete')
		{
			throw "Delete modification are not supported"
		}

	#Supported ChangeType is Replace
	if ($_.ObjectModificationType -match 'Replace')
		{
			$ConnectionString = "Data Source=localhost;Initial Catalog=MiisInput;Integrated Security=True";

			$Connection = New-Object System.Data.SQLClient.SQLConnection
			$Connection.ConnectionString = $ConnectionString
			$Connection.Open()
			$Command = New-Object System.Data.SQLClient.SQLCommand
			$Command.Connection = $Connection

			$SQL = "UPDATE ContactInfo SET LastName = @LastName, FirstName = @FirstName, ModifiedOn = GETDATE() WHERE EmployeeId = @EmployeeId"

			$Command.CommandText = $SQL

			$Command.Parameters.Add("@EmployeeId", [System.Data.SqlDbType]::VarChar, 50) | Out-Null
			$Command.Parameters.Add("@LastName", [System.Data.SqlDbType]::VarChar, 50) | Out-Null
			$Command.Parameters.Add("@FirstName", [System.Data.SqlDbType]::VarChar, 50) | Out-Null

			$Command.Parameters[0].Value = $EmployeeId
			$Command.Parameters[1].Value = $LastName
			$Command.Parameters[2].Value = $FirstName

			$Command.ExecuteNonQuery() | Out-Null

			$Connection.Close()
		}

	#Return the result to the MA
	$obj = @{}
	$obj.Add("[Identifier]",$Identifier)
	$obj.Add("[ErrorName]",$ErrorName)
	if($ErrorDetail){$obj.Add("[ErrorDetail]",$ErrorDetail)}
	$obj
}

END
{
	"Ending Export : " + (Get-Date) | Out-File $DebugFile -Append
}

Regards,
Manuj Khurana

Hi All,

I am writing here to have knowledge about MIM 2016 upgrade. I need help !

I have FIM 2010 R2 version 4.1.3613 in my environment currently and need to upgrade to MIM 2016, So which of the following is correct procedure ?

1) upgrading directly to MIM 2016 ?

2) upgrading first to FIM version  4.1.3721 and then to MIM 2016 ?

Regards,

Suman

I have installed MIM 2016 Password Reset and Registration Portals and all of the functionality is working as intended when I have one authentication gate. But when I add multiple authentication gates in the "Password Reset AuthN Workflow" such as QA gate, Email OTP and SMS OTP gates, users need to register all of these gates and they need to pass them one by one when they are resetting their passwords. Is there a way to make only one gate required so that users do not need to register all of them? On Azure (as explained here https://blogs.technet.microsoft.com/ad/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium/) you can pick the number of required contact methods, I was wondering if a similar functionality is available on MIM/FIM SSPR portals.