Using FIM Portal as administrative tool for AD

In the April FIM Team User Group meeting I talked about how to use the FIM Portal as administrative tool using just the built-in OOB functionality in FIM.
If you have any questions regarding this session, please comment to this post.

Training for Microsoft Identity Manager

The syllaby for the next version of my FIM/MIM training is now starting to take shape. After the summer delivery will start of my new Mastering Microsoft Identity Manager class.

In co-operation with partners like Labcenter in Sweden and TrueSec Inc in USA I will also make this training available as remote class.

For all my customers in the US, I am happy to announce that we are planning to have a class-room training available in Seattle around october/november… Stay in touch for final dates.
[EDIT 2015-04-25] The first date for training in US (Redmond, WA) is now set to Oct 27-29 2015. Register here.

FIM MVP 2015

I am happy to announce that I have been awarded MVP for FIM/MIM as of April 2015!
Or as it said in the email…
Dear Kent Nordstrom,
Congratulations! We are pleased to present you with the 2015 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Forefront Identity Manager technical communities during the past year.

MVP_Logo_Horizontal_Preferred_Cyan300_RGB_300ppi

FIM 2010 licensing changing

In April 2015 the licensing model for FIM is changing. Basically you can say that FIM synchronization service is now free!
FIMLicenses
Read this blog by Peter Geelen for more information, or download the Microsoft Product Use Rights (WW, English, April 2015) document.

FIM 2010 R2 Pre-Requisites

Installing a complete FIM 2010 R2 environment is not an easy task. Lots of things can go wrong. A FIM setup might use almost any number of servers for example. In this post I give you access to scripts and configuration files required to do all FIM 2010 R2 pre-requisites in a typical 4-server FIM deployment.
FIMFourServerSetup

In the FIMScriptsAndCode.zip you will find PowerShell scripts to create service accounts, configure Kerberos, configure SQL ports and aliases among other things. You will also find ini-files to perform unattended setups of the SQL servers used by FIM. Basically everything you need to do before you can start the installation of FIM.

In the Installation folder in the download package you will find a ReadMeFIRST.txt file that explains the order to perform the steps. Please note that many of the scripts and configuration files used requires editing to match the target environment.

In the RulesExtension folder you will find a simple code example showing how to use rules extension in FIM to import the last logon timestamp from AD into FIM. This is one of the things I show in my FIM 2010 R2 Video Course and this is to give the viewers of that a chance to download the example.

FIM Team User Group presentation

At the FIM Team User Group meeting in March I held a session about how to use less code in FIM solutions.
If you have any questions regarding this session please comment on this post.

Finding Managers in FIM 2010

When working with FIM 2010 we often use Reference attributes like the Manager attribute. But in FIM we cannot create a corresponding Set with all referenced Managers. The xPath query simply doesn’t allow this kind of referenced object lookup.

So what if I would like a Set or a Group containing all Managers! How do we solve that problem?

In this post I will show you one way of doing this, but please remember that there are many variations of this you could use.

Add IsManager to Schema

First we add a new boolean attribute “IsManager” to the schema in FIM. Depending on how you plan to use this you might need to add it to both the FIM Service and the FIM Synchronization Service schema.
This step I hope you all know involves creating a binding as well as adding the new attribute to the Filter Permissions.
You will also need to add it to some MPR’s to allow the management of this new attribute.
Ones we have this new boolean attribute creating a Set and/or a Group is now reduced to look at this boolean value.

Manage the IsManager flag

The problem is now to have some kind of activity that sets the IsManager attribute to “true” when a manager is configured on a user.
This can be done using a PowerShell WorkFlow activity. I show you a solution working with the PowerShell Workflow Activity you can download from codeplex.. The PowerShell I use in the activity can be downloaded UpdateIsManager.

PowerShell Activity

Let’s look at the PowerShell script I use to understand what it does and how it works.

First we set the basics like URI and load the FIMAutomation snapin.

set-variable -name URI -value "http://localhost:5725/resourcemanagementservice' " -option constant
if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}

We then get the object that has been changed. Note that I use the “/*” in the xPath since I get the object based on ObjectID I cannot get duplicates and don’t need to specify the object type.

$exportObject = export-fimconfig -uri $URI -onlyBaseResources -customconfig ("/*[ObjectID='{0}']" -F $fimwf.TargetID.Guid)

From the modified user we read the Manager attribute to get the “target” for our change.

$target = $exportObject.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq "Manager"}

We then build the importChange to set the IsManager attribute to true.

$importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
$importChange.Operation = 1
$importChange.AttributeName = "IsManager"
$importChange.AttributeValue = $true
$importChange.FullyResolved = 1
$importChange.Locale = "Invariant"

Finally we import the change on the target user

$importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
$importObject.ObjectType = "Person"
$importObject.TargetObjectIdentifier = $target.Value
$importObject.SourceObjectIdentifier = $target.Value
$importObject.State = 1 
$importObject.Changes = (,$importChange)
$importObject | Import-FIMConfig -uri $URI

If you apply this logic to a MultiValue reference attribute the script needs to be extended with a loop like the one below to apply the change to all referenced objects.

ForEach($value in $target.Values)

The importObject’s ObjectIdentifier would than just be $value within the loop.

The MPR

The MPR to trigger this Workflow is just a simple Request MPR that fires whenever someone changes the Manager attribute on any user.

What about deletes?

As you can see this solution will only make sure that the IsManager is set to true for all referenced managers. But it will not set it to “false” if they are no longer referenced. The problem is that if you were to detect the deletion of a manager you cannot set it to false since it might be referenced on other users. Doing that lookup, to verify this was the “last” reference, is quite costly from a resource perspective and I don’t think it’s a good idea to do it as part of the WorkFlow activity.

I think that a good approach to set the IsManager to “false” is to have a maintenance job running a PowerShell that verifies that all IsManager=”true” indeed still are referenced. That PowerShell will however have to wait for another post, another time.

Summary

Adding small boolean flags to the schema makes filters in Set’s, Group’s and Synchronization Rules very easy to implement. Using a PowerShell Workflow Activity is often the easiest and quickest way of solving workflow needs to make sure these boolean flags are kept up-to-date in FIM 2010.

FIM 2010 R2 4.1.3496.0 introduces error event when searching the portal

After you have updated your FIM 2010 R2 Service & Portal to 4.1.3496.0 you will start to get errors in the eventlog every time someone makes a search in the FIM Portal. This is due to a new feature added in this update that gives you the ability to hide the advanced search option.

The error you will get in the Forefront Identity Management application log is “System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.”
KeyNotFoundException

This error is due to the new feature, described in the 4.1.3496.0 KB article, allowing you to hide the advanced search option.

Solution

To get rid of this error you need to follow the instructions in the KB article and add the boolean HideAdvancedSearchLink attribute and bind it to the Portal Configuration resource.
HideAdvancedSearchLinkBinding
This will get rid of the error message, but in order to use the new feature and manage it you would also need to add the MPR allowing Administrators to set the value.

Credit

This solution I found as an answer in the TechNet forum. Where the answer was submitted by Andrew Weiss.

Schedule FIM 2010 with a sleep option

When scheduling your run profiles in FIM 2010 you sometimes needs to add a short sleep, to allow for the external system to process data. This can for example be required when the FIM Service needs to apply some workflow on the exported data before you import the result.

In this post I will show you one option to do so when using PowerShell script to run the profiles in FIM Synchronization Service.

The scripts I show you snippets of in this post can be downloaded here: ScheduleFIMwSleep.

DeltaRunWithSleep.ps1

I usually use a PowerShell script to schedule the typical run profiles.
In the script I allow for a special “profile” using the syntax “Sleep:X” to make the script sleep for X seconds.

@{
name="FIMService";
profilesToRun=@("Export";"Sleep:30";"Delta Import";"Delta Sync");
};

So whenever it finds this “Sleep” profile it will sleep instead of trying to run an actual run profile.

if($profileName.StartsWith("Sleep"))
{Start-Sleep -Seconds $profileName.Split(":")[1]}
else
{
$result = $MA.Execute($profileName);
if("success".Equals($result.ReturnValue)){} else {$msg = "Error: "+$result}
}

ReloadWithSleep.ps1

A special case of run schedule is when you need to do some kind of reload or initial load of data. This could be just because you deleted a connector space and need to reload or when changing configuration.
If you use this due to migrating or changing configuration you should be aware that you should always run Full Synchronization rather than Delta on all MA’s with configuration changes.
In this run profile I have added that it disables provisioning before running any run profiles and then enables it once it’s done.

#Disable Provisioning
& "$scriptpath/DisableProvisioning.ps1"

#Run Profiles
do {….}

#EnableProvisioning
& "$scriptpath/EnableProvisioning.ps1"

As you can see the actual enabling and disabling is made in two separate PowerShell scripts (EnableProvisioning.ps1 and DisableProvisioning.ps1) that need to reside in the same folder as the script calling.

Hopefully the information in this post makes your scheduling of FIM 2010 easier.