Azure AD PowerShell Managment Agent
This is a custom MIM Managment agent to import Azure AD users using Msol module,users could be either Member or Guest (B2B), then send them back in SharePoint 2016 User Profiles
This agent is tested on the following scenario:
- SharePoint 2016 On-Prem Farm (Aug 2017 PU) - With User Profile Service Configured and Syncronization Service Configured using MIM 2016
- Azure AD with Guest (B2B) users added and immutible id set
Import PowerShell File Configurations
- $usersType variable - 'All' for all user types, 'Member' for Azure AD Users and 'Guest' for B2B users
- $restrictImmutableId - Imports only users with ImmutableId property set
- $adfsClaimTokenPrefix - Constructs a string for ADFS Claim token to be used in some scenarios i.e. i:email@example.com
- $imageImportEnabled - Exports users pictures into a temp folder then adds the binary array of the photo to the Azure User Object Imported to object space
- $DebugFilePath - Outputs powershell messages
Import PowerShell File Changes
- You can update the properties and mappings to fit your scenario
- Any changes in the import.ps1 should reflect in the schema.ps1 file as well
User photos is now implemented
- Just set the '$imageImportEnabled' variable to $true to enable user photo export
SharePoint Managment Agent installed and configured
- Step by Step: Installation of Microsoft Identity Manager for SharePoint 2016 User profile Service
- Step by Step: Configuration of Microsoft Identity Manager for SharePoint 2016 User profile Service
Enable Msol on MIM Server
- Install required software These steps are required once on your computer, not every time you connect. However, you'll likely need to install newer versions of the software periodically.
- Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.
- Install the 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell with these steps:
- Open the Azure Active Directory Connection web page.
- In Files in Download at the bottom of the page, click Download for the AdministrationConfig-V184.108.40.206-GA.msi file, and then install it.
Store Azure AD Global Admin in a secure file
- Get latest PowerShell script file from PowerShell-Stored-Credentials
- For full steps follow the following link (https://practical365.com/blog/saving-credentials-for-office-365-powershell-scripts-and-scheduled-tasks/)
- Save the generated file i.e. firstname.lastname@example.org
Install The Granfeldt PowerShell Management Agent (MA)
Before Begining, Please first read How to create an AzureAD Microsoft Identity Manager Management Agent using the MS GraphAPI and Differential Queries, to get overview of the idea we are intoducing here as it is based on the same idea
- Create a folder 'AzurePSADMA' for example that will contain mainly the following files
|Import.ps1||The main import sequence script|
|email@example.com||Azure Admin Cred file|
|Password.ps1||Password PowerShell File, You must have a Password.ps1 file. Even though we’re not doing password management on this MA, the PS MA configuration requires a file for this field. The .ps1 doesn’t need to have any logic/script inside it. It just needs to be present|
|Export.ps1||Export PowerShell File, You must have a Export.ps1 file. Even though we’re not doing Export on this MA, the PS MA configuration requires a file for this field. The .ps1 doesn’t need to have any logic/script inside it. It just needs to be present|
|Schema.ps1||The schema of the AzureADUser that will be imported to MIM|
Management Agent Configuration
- With the Granfeldt PowerShell Management Agent installed on your FIM/MIM Synchronisation Server, in the Synchronisation Server Manager select Create Management Agent and choose "PowerShell" from the list of Management Agents to create. As this example is for Users, I’ve named my MA accordingly "AzureADUsers"
- For the schema script add your schema.ps1 file full path and the azure ad amdin account, the password will not be used from this screen as well use the stored cred file instead
- Paths to the Import, Export and Password scripts. Note: the Export and Password PS1 scripts files exist but are empty.
- Object Type as configured in the Schema.ps1 file.
- Attributes as configured in the Schema.ps1 file
- Anchor as per the Schema.ps1 file.
- Project the output to person object
- Configure Attribute flow
Add two Run Profiles to your Managment Agent [FullImport - FullSync], You can use any configurations as you needs this is just for the sake of the demo
- Run AzureADUsers MA Full Import Profile
- Run AzureADUsers MA Full Sync Profile
- Run SPMA MA Full Import Profile
- Run SPMA MA Full Sync Profile
- Run SPMA MA Export Profile
Verify the results
- After a successfull AzureADUsers MA Full import run, you should find additions according to the users type found on Azure AD
- An example of user properties imported
- After AzureADUser MA Full Sync
- Azure User Profile
- SharePoint 2016 on-prem User Profile