Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels

Channel Catalog

Channel Description:

This forum is for IT Professionals who have questions/issues or other feedback about Forefront Identity Manager (FIM) 2010 suite
    0 0

    I'm trying to connect the sync service to a SQL Azure database.  I'm not having luck.

    Searching online, I can't find a specific statement about the default SQL MA and whether it supports Azure SQL.

    Does anyone know that answer?

    I'm seeing chatter about SQL Azure with ECMA's and a generic connector, plus I see an open source MA option, plus SQL Azure MA's from partners.  All of that tells me the native FIM SQL MA doesn't support Azure, but again, I'm looking for confirmation.


    0 0

    Does anyone know if there is a way in MIMWAL or otherwise, without writing custom code, to compare one attribute against a myltivalue attribute.

    I have a request with multiple approvers. I want to compare if Requestor is anyone of the approvers.



    Nosh Mernacaj, Identity Management Specialist

    0 0


    One of my customers recently upgraded their FIM 2010 R2 to MIM 2016 SP1. It seems that their password reset SMS Gate stopped working. They had implemented SMSServiceProvider.dll using gate from their telecom (and it was working fine). All the phones are registered in format: 00971xxxxxxxxx

    Right now instead of sending SMS we have error in the log coming from Azure MFA complaining that telephone number doesn't contain international code. It looks like it switched to use Azure MFA instead of previously used SMSServiceProvider.dll.

    How can we switch it back?

    Borys Majewski, Identity Management Solutions Architect (Blog: IDArchitect.NET)

    0 0

    Hi Everyone,

    i wish to know how MIM can confirm user Creation\Modification in AD to an External System (e.g. HR Application)having a Web Services API). So need to send say SOAP Message back to External System on the status of the provisioning\modification in AS

    Thanks in anticipation for your help


    0 0

    In order to clean up the disconnected objects from SQL MA, I did the following steps

    1.I manaully projected them from MA's Connector space into Metaverse by applying projection rules.

    2. I imported end dates and names via import rules.

    3. I created a set that transitions in the objects that have end dates less than sys date (obviously these objects will transition in to the set)

    4. Created a MPR that will remove the particular MA's ERE whenever an object is transitioned in to the set.

    5. Tried this by doing the following steps.

                  i)  Individually preview'd and commited accounts.

                  ii) Objects stood for export in FIM MA, ran Export on FIM MA

                  iii) DIDS on FIM MA

                  iv) When I see the search requests in FIM portal, i can see that the MPR is triggered but it didnt removed.

    Could anyone please help me out. Have I missed anything?

    0 0
  • 01/31/17--22:10: Azure AD Connector
  • My requirement is to sync HR database(SQL Server on-prem) to Azure AD. I am using FIM 2010 and Windows Azure AD Connector. I am able to establish sync and all works just fine. Since this MA don’t support any password management scenario I am running PS script to set password for new accounts outside FIM. That also works well.

    Next user is asked to change password during first logon. As soon as user submits new password he gets this error: “Your organization doesn’t allow you to change your password on this site. Please change your password according to the method recommended by your organization, or ask your admin if you need help.”

    May I know how could I allow the user to change his password?  Am I missing something, any workaround?


    Shobhit Vaish

    0 0

    I am using MIM 2016 and for provisioning AD I use a MPR / Set / Workflow. The MPR is set for transition in triggering the workflow

    In the workflow I have used some MIMWAL including Generate Unique Values (for accountname) and Function to populate WorkflowData parameters (vAccountName, vHomeDirectory)

    In the workflow I then use an update resources to set the Target/AccountName to the workflowdata/AccountName value 

    In the sync rule I flow the AccountName to sAMAccountname and also the WorkflowData/vHomeDirectory

    The problem I have is that any value that is set through a Workflow parameter when used in the sync rule has a final value of null

    Have been over everything several times and tried different ways but still the same issue. 

    I do need to set these values in the workflow as opposed to the sync rule directly so looking for the solution more so then a workaround please

    0 0
  • 02/01/17--03:43: PCNS error
  • Hi,

    We are using Forefront Identity Manager to sync 2 Active Directory domains.

    Let's call it DomainA and DomainB. A FIM server has been installed in the DomainA. Users and groups are synced between DomainA and DomainB, all works great.

    Now we want to use password sync from B to A. As mentioned in, PCNS agent has been installed on all domain controlers for B.

    Password change from DomainB (which does NOT hosts FIM Server) to DomainA = error.

    We have configured FIM as explained, created a SPN entry on DomainB and target.

    But when a password is changed on DomainB, it is captured by PCNS, and send to the FIM server (domainA) and the errors occurs :  Status is -2146893053 -  The target is unknown

    On server side, we can find this log : An error has occurred during authentication to the password notification source.

    0x80070534: no mapping between account names and security IDs...

    Indeed, when configuring spn, we created on domain B

    setspn.exe -a PCNS/server.domainb.local DOMAINB\MIMSync which may be unknown on domain A.

    What should be the way to sync password when the FIM server is not in the source domain ?


    Emmanuel IT

    0 0

    I'm syncing GAL's between two Exchange organizations and I'd like the contact in each Forest to have something appended to the Display Name so they stand out.  Is this possible to do?

    0 0

    I tried to reset my password via FIM SSPR and I was able to successfully register for a password reset but unable to reset the password, while doing it I am getting error like access denied.

    Kindly assist me in this.


    0 0


    My current FIM 2010 RTM installed on server 2008 and CA's are 2008 R2.

    I use FIM CM only.

    I have Installed new CA's hierarchy (2012 R2) and copied the certificate templates settings as I needed.

    I plan to upgrade to FIM 2010 R2 SP1 on server 2012 R2, from what I could find, the upgrade is supported. but I couldn't find any other documentation about side-by-side migration since I want to install the FIM 2010 R2 SP1 on a fresh vanilla server 2012 R2.

    I have several questions regarding the desired configuration:

    1. I need to Install FIM RTM on the vanilla server 2012 R2 before installing the FIM 2010 SP1? any documentation/guidelines for FIM upgrade process and DB upgrade will be much appreciated!

    2. after the FIM upgrade to 2010 R2 SP1, I'm planning to change the Certificate Template in an existing smart card Profile Template, this certificate template will be from the new (2012 R2) CA's hierarchy. after I will do so, I will be able to renew smart card certificates through this "updated" profile template?

    I hope I'm understandable :)

    thanks in advance!


    0 0

    February 2017 Guru, it’s time to share great skills as a TechNet Wiki article and WIN medal(s). Medals? Yes, you can share multiple articles in the same or different categories! Now, navigate to TechNet Guru Competition February 2017 to choose your categories and if it’s not listed add your content in Miscellaneous Category!

    All you have to do is add an article to TechNet Wiki from the field of your interest. Something that fits into one of the categories listed on the submissions page. Copy in your own blog post, a forum solution, a white paper, or just something you had to solve for your own day’s work today.

    A snippet you share can make you a February 2017 TechNet Wiki Guru in your favorite category and this is official Microsoft TechNet recognition!


    1) Please copy over your Microsoft technical solutions and revelations to TechNet Wiki.
    2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you’ve contributed).
    3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

    If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

    Winning this award in your favorite technology will help us learn the active members in each community. 

    Feel free to ask any questions below.

    More about TechNet Guru Awards.


    If my reply is helpful please mark as Answer or vote asHelpful.

    My blog | Twitter | LinkedIn

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    0 0


    I have a task to manage user accounts and assign/revoke a licenses for Office365 users.

    This is my first expirience with such integration, so, as I understand I need to do 2 main tasks:

    1. Import current licensing information

    2. Assign and revoke licenses with information regarding user plans in metaverse.

    So, now I'm trying to make first part to work.

    I get this article:

    and trying to run full import run profile, but I getting this error:

    DN is unavailable / missing-anchor-value / No value provided for anchor attribute

    In this thread

    I found what the problem can be in import script, but script already have a such statement ($obj2.Add("objectClass","LicensePlans")), so I think that this is not a problem.

    Any ideas?



    0 0


    I can't seem to find any information regarding delegating access (RBAC) to Skype for Business across a forest trust ("bastion forest"). Have anyone of you tried this and succeeded? 

    Just creating a PAM group of the CsAdministrator group does not work (the group membership is listed by whoami /groups as expected when logged on) and I don't see an equivalent of Microsoft Exchange's "LinkedForeignGroup". 

    Any tips, thoughts or ideas?


    0 0

    We need to build somehow a connector filter rule to filter on a Date attribute.

    The oob basic criteria option has things like Ispresent, Startswith Equals and so on. Nothing like IsAfter IsBefore.

    I understand we need write code in the FilterforDisconnection Method... but where is an example? Hunted all over with Google and Bing but no luck.

    Has anyone an example I can use as a basepoint?

    0 0


    i need your help to configure/synchronize specific information from HR to FIM Portal, then to AD attribute: the specific information which we need to upload it in AD (in departement attribute) is "the Residence" from HR DB.

    We configured already the synchronization rules  as described below,and  the attribute flow which configured on AD MA and HR MA.

    1. HR to FIM Portal synchronization rule


     2. FIM to AD synchronization rule:

     The attribute flow are configured as below (on AD Management agent and HR Management agent):








    HR HR MA:




    0 0
  • 02/03/17--12:44: LDAP query to Xpath filter
  • We are doing a conversion from a system that uses LDAP queries for setting dynamic groups, is there a way to convert these queries into Xpath filters easily, or do I have to do it manually for the groups?

    I know that the languages have similarities, but have yet to find a way to easily do it for the 7000 groups I am converting

    Russell Lema

    0 0


    Can somebody explain some MPR logics?

    I have MRP (Transition In) + Workflow for AD provisioning users. They are using sync rule with Initial flow for password generation for users and emails to manager with account information. I’m using a set with static defined user set (with employeeID numbers)


    As I understand if I make “Disable” and “Enable” at MPR I will get reapplied MPR, right? Moreover, all my users will receive new passwords and managers will receive emails. This is not acceptable, because system is going to production.

    I need to change my test static set to “All People” production set, how it can be safely done? Thanks!


    0 0

    So, we are running a C# code with MIM 2016 SP1 using FIM 2010 Granfeldt Workflow Activity Library.

    The code itself should work because it works with FIM 2010 R2 and also FIM 2010 R2 updated to MIM 2016 (not SP1).

    Are there any known compatibility issues between MIM 2016 SP1 and FIM 2010 Granfeldt Workflow Activity Library?

    See the error messsages:

    Couldn't compile Compile Error: CS2032 in Ln 0 Col 0-Character '
    Evet Viewer:
    System.Exception: Couldn't compile
    Compile Error: CS2032 in Ln 0 Col 0-Character '
       at Granfeldt.FIM.ActivityLibrary.CodeRunActivity.CompileCode_ExecuteCode(Object sender, EventArgs e)
       at System.Workflow.ComponentModel.Activity.RaiseEvent(DependencyProperty dependencyEvent, Object sender, EventArgs e)
       at System.Workflow.Activities.CodeActivity.Execute(ActivityExecutionContext executionContext)
       at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)
       at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)
       at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
       at System.Workflow.Runtime.Scheduler.Run()

    0 0


    I was attempting to add a basic text box, bound to an attribute I've mapped to the Group objects ("groupType"), to the group creation RCDC.  All I did was copy the existing Description control, paste that under the Description control and change the "description" values in the new control node to my new attribute "groupType".  But, when I imported the new RCDC, my new control showed up in the RCDC, like I expected, but the MembershipType control disappeared. I went back to the original RCDC (I exported and saved it off before I started changing it).  My "groupType" attribute is gone, as I expected, but so is the MembershipType control. So, I'm stuck. I don't know what to do to get those three radio buttons back. I've restarted IIS, rebooted the MIM server, and still no membership type control on the RCDC.

    Any ideas?