Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
130 lines (81 sloc) 10.2 KB

Azure AD PowerShell Managment Agent

This is a custom MIM Managment agent to import Azure AD users using Msol module,users could be either Member or Guest (B2B), then send them back in SharePoint 2016 User Profiles

This agent is tested on the following scenario:

  • SharePoint 2016 On-Prem Farm (Aug 2017 PU) - With User Profile Service Configured and Syncronization Service Configured using MIM 2016
  • Azure AD with Guest (B2B) users added and immutible id set

Import PowerShell File Configurations

  • $usersType variable - 'All' for all user types, 'Member' for Azure AD Users and 'Guest' for B2B users
  • $restrictImmutableId - Imports only users with ImmutableId property set
  • $adfsClaimTokenPrefix - Constructs a string for ADFS Claim token to be used in some scenarios i.e. i:05.t|adfs|islam.khattab@itworx.com
  • $imageImportEnabled - Exports users pictures into a temp folder then adds the binary array of the photo to the Azure User Object Imported to object space
  • $DebugFilePath - Outputs powershell messages

Import PowerShell File Changes

  • You can update the properties and mappings to fit your scenario
  • Any changes in the import.ps1 should reflect in the schema.ps1 file as well

User photos is now implemented

  • Just set the '$imageImportEnabled' variable to $true to enable user photo export

Prerequisites

SharePoint Managment Agent installed and configured

Enable Msol on MIM Server

  • Install required software These steps are required once on your computer, not every time you connect. However, you'll likely need to install newer versions of the software periodically.
  1. Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.
  2. Install the 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell with these steps:
    1. Open the Azure Active Directory Connection web page.
    2. In Files in Download at the bottom of the page, click Download for the AdministrationConfig-V1.1.166.0-GA.msi file, and then install it.

Store Azure AD Global Admin in a secure file

Install The Granfeldt PowerShell Management Agent (MA)

AzureADPSMA Installation

Before Begining, Please first read How to create an AzureAD Microsoft Identity Manager Management Agent using the MS GraphAPI and Differential Queries, to get overview of the idea we are intoducing here as it is based on the same idea

  • Create a folder 'AzurePSADMA' for example that will contain mainly the following files
File Name Description
Import.ps1 The main import sequence script
azure.admin@yourdomain.onmicrosoft.com.cred Azure Admin Cred file
Password.ps1 Password PowerShell File, You must have a Password.ps1 file. Even though we’re not doing password management on this MA, the PS MA configuration requires a file for this field. The .ps1 doesn’t need to have any logic/script inside it. It just needs to be present
Export.ps1 Export PowerShell File, You must have a Export.ps1 file. Even though we’re not doing Export on this MA, the PS MA configuration requires a file for this field. The .ps1 doesn’t need to have any logic/script inside it. It just needs to be present
Functions-PSStoredCredentials.ps1 Creditial Manager
Schema.ps1 The schema of the AzureADUser that will be imported to MIM
  • Management Agent Configuration

    • With the Granfeldt PowerShell Management Agent installed on your FIM/MIM Synchronisation Server, in the Synchronisation Server Manager select Create Management Agent and choose "PowerShell" from the list of Management Agents to create. As this example is for Users, I’ve named my MA accordingly "AzureADUsers"

    picture alt

    • For the schema script add your schema.ps1 file full path and the azure ad amdin account, the password will not be used from this screen as well use the stored cred file instead

    picture alt

    • Paths to the Import, Export and Password scripts. Note: the Export and Password PS1 scripts files exist but are empty.

    picture alt

    • Object Type as configured in the Schema.ps1 file.

    picture alt

    • Attributes as configured in the Schema.ps1 file

    picture alt

    • Anchor as per the Schema.ps1 file.

    picture alt

    • Project the output to person object

    picture alt

    • Configure Attribute flow

    picture alt

  • Add two Run Profiles to your Managment Agent [FullImport - FullSync], You can use any configurations as you needs this is just for the sake of the demo

picture alt

  • Run AzureADUsers MA Full Import Profile
  • Run AzureADUsers MA Full Sync Profile
  • Run SPMA MA Full Import Profile
  • Run SPMA MA Full Sync Profile
  • Run SPMA MA Export Profile

Verify the results

  • After a successfull AzureADUsers MA Full import run, you should find additions according to the users type found on Azure AD

picture alt

  • An example of user properties imported

picture alt

  • After AzureADUser MA Full Sync

picture alt

  • Azure User Profile

picture alt

  • SharePoint 2016 on-prem User Profile

picture alt