Install And Configure Microsoft Identity Manager 2016 SP1 For SharePoint 2016

Microsoft Identity Manager (MIM) 2016 is built on the identity and access management capabilities of FIM 2010 R2. Like its predecessor, MIM helps us to manage the users, credentials, policies and access within your organization. Additionally, MIM 2016 adds a hybrid experience, privileged access management capabilities and support for the new platforms.

User profile synchronization in versions prior to SharePoint 2016 relied on an inbuilt ForeFront Identity Manager (FIM), which ran inside SharePoint Server. However in SharePoint Server 2016, FIM has been removed. User profile synchronization will be done by Microsoft Identity Manager, which will act as the successor to FIM. MIM will reside in a separate Server other than the SharePoint 2016 Server. Thus, if we already have MIM Server, we can leverage it and use it with SharePoint 2016.

Download Microsoft Identity Manager SP1

MIM 2016 installation involved installation of separate hotfix to complete the installation successfully, however MIM 2016 SP1 comes with the inbuilt hotfix, which makes the installation of MIM easier. Before getting started with the installation procedure, let's download the setup file from the evaluation center. This is fully functional 180 day trial version. We can also download the production ready version directly from Microsoft Volume Licensing Center.

SharePoint

Create an Identity Manager Synchronization account

We will need a domain account under which Microsoft Identity Manager Synchronization Service will run. Thus, let’s create an account for this purpose. We will have to specify this account during the installation. We will name it MIM Service.

SharePoint

Install Identity Manager

From the downloaded installation media, go to Synchronization Service folder path and run the setup.exe file.

SharePoint

This will start Identity Manager Synchronization Service Setup Wizard.

SharePoint

Accept the license agreement and proceed.

SharePoint

Select Microsoft Identity Manager Synchronization and click Next.

SharePoint

The next screen in the wizard will ask you to supply some information about the instance of SQL Server, which we want MIM to use. Choose This Computer, if SQL Server is local or type the name of the remote SQL Server instance. We are installing MIM Server in SQL Server, so we will go with the configuration given below.

If we are installing MIM to a remote instance of SQL Server, SQL Server Native client must already be installed on MIM Server before installing MIM Synchronization Service.

SharePoint

In the next screen, specify the Service Account credentials, which we created earlier under which Identity Manager Synchronization Service will run.

SharePoint

Now, we have to set up the security groups, which are required for MIM to function. We can leave it with the default values.

SharePoint

It is recommended to keep the firewall rule checkbox unchecked. 

SharePoint

Click Next to proceed with the installation.

SharePoint

We will get a warning, as shown below. Click OK to proceed.

SharePoint

We will be asked to back up the keys generated at this point as they will be required when we move to a different database Server. Click OK.

SharePoint

Specify the key name and click Save.

SharePoint

Thus, we are done with installing MIM 2016 in the server.

SharePoint

Restart the system, so that the security group membership comes to effect.

SharePoint

Forefront Identity Manager Connector for SharePoint

Now, we have to install Forefront Identity Manager Connector for SharePoint, which will be used to connect MIM to SharePoint 2016. It is commonly called SharePoint Management Agent (SPMA), which we can download here.

SharePoint

Once the executable has been downloaded, proceed with the installation, using SharePoint Connector Setup Wizard.

SharePoint

Click Install to start the installation process.

SharePoint

After some time, SharePoint Connector installation will be complete.

SharePoint

To complete SharePoint Connector installation, we can restart Forefront Identity Manger Service from Services.msc.

SharePoint

No need for Hotfix Update

MIM 2016 requires the installation of a hotfix to complete the installation procedure. MIM 2016 SP1 already includes the hotfix, which we had to install after MIM 2016 installation. Since we have installed MIM 2016 SP1, the hotfix has already been applied.

Configure Synchronization Settings

In order to enable User Profile Synchronization, using MIM, we have to set up synchronization settings.

SharePoint

Select Enable External Identity Manager and click OK.

SharePoint

Install the solution files for SharePoint Synchronization

We can download the entire solution files, which we will use to set up SharePoint Synchronization here. We can get the entire files as a zip by going to the root location.

SharePoint

The downloaded zip file will contain the folder USerProfile.MIMSync, which contains all the solution files.

SharePoint

The solutions scripts from UserProfile.MIMSync have been copied to the working directory.

SharePoint

Rectify an error in the Synchronization script

SharePointSync.psm1 module contains a set of PowerShell commandlets to set-up Microsoft Identity Manager sync engine with SharePoint and to kick off sync on-demand. However, the script was written for MIM 2016 and need some code correction for it to work with the latest MIM 2016 SP1. If we run the script without the changes, we will get the error, as shown below.

SharePoint

The error states that SharePoint Sync requires 4.3.2064 or greater. However, if we check, we can see that the installed version of Forefront Synchronization Service Manager is already 4.4.1302.

SharePoint

The error is caused because of an If/Else block, which was aimed at the first version of MIM 2016 in SharePointSync.psm1.To rectify the error, open SharePointSync.psm1.

SharePoint

We will replace the code block 79-89 with the set of code block given below, so that it works with MIM 2016 SP1 as well.

Corrected Code

  1. $MimPowerShellModuleAssembly = Get - Item - Path(Join - Path(Get - SynchronizationServicePath) UIShell\ Microsoft.DirectoryServices.MetadirectoryServices.Config.dll)  
  2. if ($MimPowerShellModuleAssembly.VersionInfo.ProductMajorPart - eq 4 - and $MimPowerShellModuleAssembly.VersionInfo.ProductMinorPart - eq 4 - and $MimPowerShellModuleAssembly.VersionInfo.ProductBuildPart - ge 1237) {  
  3.     Write - Verbose "Sufficient MIM PowerShell version detected (>= 4.4.1237): $($MimPowerShellModuleAssembly.VersionInfo.ProductVersion)"  
  4. else {  
  5.     throw "SharePoint Sync requires MIM PowerShell version 4.4.1237 or greater (this version is currently installed: $($MimPowerShellModuleAssembly.VersionInfo.ProductVersion). Please install the latest MIM hotfix."  
  6. }  
SharePoint

Get configuration values for SharePoint Synchronization script

To enable SharePoint Synchronization, we will be running the SharePointMIMSync.ps1 file in MIM Server. Prior to running it, we will have to update the script with our environment variables.

We will need OrganizationalUnit and ForestDnsName parameters, which will have to be updated in the script. We can get the organizational unit by running the command given below. The distinguished name (DC=AzureAD,DC=Contoso,DC=com) will correspond to the Organizational Unit.

  1. Get-ADComputer $env:COMPUTERNAME | Get-ADPrincipalGroupMembership  
SharePoint

We can get AD forest name by running the command given below.

  1. Get-ADForest  
SharePoint

Prior to running the Synchronization script, ensure that Set-ExecutionPolicy script given below has been run, else we may get the error File is not digitally signed.

  1. Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass  
SharePoint

Run SharePoint Synchronization script

Now, we are ready to run SharePoint Sync Script. The running of the script involves two steps, which are given below.

  • Import SharePointSync Module
  • Run ‘Install-SharePointSyncConfiguration’ Command

After navigating to the directory, where the script is present, let’s load SharePointSync.psm1 module, as given below.

  1. Import-Module .\SharePointSync.psm1  
SharePoint

Now, we can finally run the ‘Install-SharePointSyncConfiguration’ command, which will enable MIM Synchronization with SharePoint. It needs the parameters given below to be filled.

  • -Path - Location where the sync script is located.
  • -ForestDnsName - AzureAD.Contoso.com (we got this earlier by running Get-ADForest command).
  • -ForestCredential - Account that will be used to read objects from Active Directory. This account must have Replicate-Directory-Changes permissions in the Active Directory that is to be synchronized. We are using an AD administrator account here.
  • -OrganizationalUnit - This is the distinguished name of the Active Directory container to be synchronized.We can get it by running the command “Get-ADComputer $env - COMPUTERNAME | Get-ADPrincipalGroupMembership”.
  • -SharePointUrl - SharePoint Central Admin URL
  • -SharePointCredential - SharePoint Farm Account.

Synchronization Script given below can be saved to a PS1 file say ‘SharePointMIMSync.ps1’ and we can run it from the console as ‘.\ SharePointMIMSync.ps1’.

  1. $MIMSyncAccount = Get-Credential -UserName "AzureAD\AzureADAdmin" -Message "MIM Sync Account"  
  2. $SPFarmAccount = Get-Credential -UserName "AzureAD\SPFarmAccount" -Message "SP Farm Admin"  
  3. Install-SharePointSyncConfiguration -Path C:\SharePointMIMSync -ForestDnsName AzureAD.Contoso.com -ForestCredential $MIMSyncAccount -OrganizationalUnit "DC=AzureAD,DC=Contoso,DC=com" -SharePointUrl http://vm03-sp2016:50000/ -SharePointCredential $SPFarmAccount -PictureFlowDirection "Export only (NEVER from SharePoint)"  
SharePoint

On running Synchronization Script, it will ask for Sync Account, which we can input, as shown below.


SharePoint

It will also ask for SharePoint Farm account, which we can enter and click OK.

SharePoint

This will complete SharePoint Synchronization configuration and we will get the message given below. It has specifically said that before we start the synchronization, we should set the AD account password in the AD connector, which we will see in the coming section.

SharePoint

Run Synchronization Service Manager

Now, we can start Synchronization Service Manager to start the Synchronization of User Profiles.

SharePoint

We can see two management agents in Service Manager, which are given below.

  • ADMA
    Active Directory Management Agent.

  • SPMA
    SharePoint Management Agent.

    SharePoint

Click ADMA and go to Connect to Active Directory Forest tab. Here, we have to specify the password for the SyncAccount that has Replicate-Directory-Changes permissions in Active Directory.

SharePoint

Also, ensure that we have selected AD partitions correctly, so that synchronization runs correctly.

SharePoint

Before running synchronization command, let's restart Forefront Identity Manager Service.

SharePoint

Finally, we can run SharePoint Synchronization Service.

  1. Start-SharePointSync -Confirm:$false  
SharePoint

It will perform the import of user profiles and we can see the success and details in Service Manager, as shown below.


SharePoint

Summary

Thus, we saw how to install and configure Microsoft Identity Manager 2016 SP1 for SharePoint Server 2016.