The steps below will walk you through the steps to setup external MIM synchronization service to synchronize your User Profiles from Active Directory to your SharePoint 2016 or 2019 farm.
Pre-requisites
A SharePoint 2016 or 2019 farm with a UPA service application configured.
You can install the MIM sync services on its own server or on the SQL server that hosts the User Profile service application's databases but its not recommended to put it on a production SharePoint server.
Download the following applications below to the server that you choose to use.
- Download the Microsoft Identity Manager 2016 with Service Pack 1. The sync engine comes free in the evaluation download version for MIM and does not require a key code.
Identity and Access Management Evaluations
https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-identity-manager-2016
Note: You can also download it from the Visual Studio subscription site if you have a subscription.
- Download the SharePoint connector to the MIM server.
Forefront Identity Manager Connector for SharePoint User Profile Store
https://www.microsoft.com/en-us/download/details.aspx?id=41164
- Download the PowerShell configuration scripts from GitHub to the MIM server.
Scripts and tools for Office 365 and SharePoint - More for IT Pro's
https://github.com/SharePoint/PnP-Tools
Note - To download the ZIP file with the script, click on the 'Clone or download' button on the site.
- Important - If you are not installing MIM on a SQL server, you will need the SQL Native Client installed on the server you install MIM on.
Microsoft® SQL Server® 2012 Native Client
http://go.microsoft.com/fwlink/?LinkID=239648&clcid=0x409
Configuring MIM services
Step 1
Install the sync engine on the MIM server in your farm.
A - Log in to the MIM server with a user that has administrator access to the server.
B - Mount the 'Microsoft Identity Manager 2016 with Service Pack 1' ISO file.
C - Navigate to the 'Synchronization Service' folder on the mounted drive.
D - Right click on the setup file to 'Run as administrator' to install the sync engine.
E - At the Microsoft Identity Manager 2016 Welcome window click 'Next'.
F - Accept the 'End Users License Agreement' and click 'Next'.
H - Specify the SQL server location and instance and click 'Next'.
I - Click 'OK' on the SQL version warning.
J - Enter the SharePoint farm Admin credentials for the MIM Synchronization Service and click 'Next'.
K - Leave the default MIM groups and click 'Next'.
L - If you have the OS's firewall enabled on the server, check the box to 'Enable firewall rules for inbound RPC communications'. Otherwise click 'Next'.
M - Click 'Install' to install the MIM Synchronization Service.
N - Click 'OK' for the for the sync service account warning.
O - Monitor the progress of the install.
P - Click 'OK' to back up the encryption key.
Q - Give your encryption key file a name and location and click 'Save'.
R - Click 'Finish'.
S - Click 'Yes' to reboot your server to complete the installation.
Step 2
Install the SharePoint connector on to the MIM server.
A - Double click on the 'SharepointConnector.msi' file to start the installation and click 'Next'.
B - Accept the license Agreement and click 'Next'.
C - Click the 'Install' button.
D - Click the 'Finish' button.
E - Using Windows Explorer, Navigate to the following path 'C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\UIShell' and run the 'miisclient' application to start the MIM client.
Note - For easy access, Pin the 'Miisclient' to the taskbar by right clicking on the file and selecting 'Pin to Taskbar' before you run it.
F - Verify that the MIM client opens.
Step 3
Configure the setup script to setup the SharePoint management agents on the MIM server.
A - Create a folder on the C drive of your MIM server called 'C:\SyncSupport' using Windows Explorer.
B - Extract the files inside the 'PnP-Tools-master.zip' file to a different folder. Then Navigate to the
'\PnP-Tools-master\PnP-Tools-master\Solutions\UserProfile.MIMSync' folder.
C - Select all the files in the 'UserProfile.MIMSync' folder and copy them to the new 'C:\SyncSupport' folder that you created. We want to preserve a original copy of these files just in case we need to start over.
D - Copy the below PowerShell script to your favorite editor and update the Path, Forest name, Sync account, Central Admin URL, Farm account, and Organization Unit variables.
##################################################################################
# This Power Shell script will add the SharePoint and Active directory management agents to MIM #
##################################################################################
# This is the path with the sync sync support files
$Path = "C:\SyncSupport"
# The name of your forest
$ForestDnsName = "contoso.com"
# The account that has access to Active Directory with Replication change permissions
$SyncAccount = "contoso\spsync"
# URL of Central Admin site
$CentralAdminUrl = "http:\\sp:5000"
# Farm account for your SharePoint farm
$FarmAccount = "contoso\spfarm"
# Do not change this value, it will only Export.
$PictureFlow = 'Export only (NEVER from SharePoint)'
# Org containers of users to be synced, you can add more than one using
$OrgUnits = 'OU=SpUsers, DC=contoso, DC=com'
# User input of Creds
$SyncAccountCreds = Get-Credential $SyncAccount
$FarmAccountCreds = Get-Credential $FarmAccount
# Importing the Sync PowerShell module
Import-Module $Path\SharePointSync.psm1 -Force
# The main function
Install-SharePointSyncConfiguration -Path $Path -Verbose -ForestDnsName $ForestDnsName -ForestCredential $SyncAccountCreds -SharePointUrl $CentralAdminUrl -SharePointCredential $FarmAccountCreds -PictureFlowDirection $PictureFlow -OrganizationalUnit $OrgUnits
##################################################################################
E - Execute the PowerShell script and you will be prompted for the password for the Sync and farm accounts.
First prompt - Sync account
Second prompt - Farm account
F - Next you will be prompted to with a security warning, select 'R' to continue.
G - The output of the script should look something like below.
Step 4
Refresh the Management Agents using the MIM client.
A - Go to the MIM client to refresh the Management Agents by clicking on 'Actions' button on the ribbon and clicking 'Refresh'. You should see the two MA's - ADMA and SPMA.
B - Double click on the 'ADMA' management agent, then select "Connect to Active Directory Forest" on the left pane and enter the password for the Sync account. Click 'OK' to continue.
C - To create a sync filter to filter out disabled accounts from Active Directory. Click on 'Select Attributes' from the left side menu. On the Right side search for 'userAccountControl' and check the box next to it.
D - Next Click on 'Configure Connector Filter' from the left side menu and highlight the 'user' data source object in the center top window. Then click the 'New' button at the bottom of the window.
E - Select the appropriate values for each menu using the values below and select the 'Add Condition' button to create the filter. Click 'OK' when finished.
Data source attribute = 'userAccountControl'
Operator = 'Bit on equals'
Value = '0x2'
F - Now you have created a filter for disabled users from Active Director. Click 'OK' to exit the management agent.
G - Now we need to refresh the SharePoint MA (SPMA) by double clicking on the SPMA management agent.
H - Once inside the SPMA, click 'OK' to continue to the 'Connectivity' menu.
I - On the 'Connectivity' window, enter the farm account credentials and click 'OK'.
J - Continue to click the 'OK' button to exit the SPMA management agent to complete the refresh of the agent.
K - Access the SharePoint farm's Central Admin site and navigate to the User Profile service application.
Step 5
Running your first full synchronization.
A - Now you can run a full sync by running the following PowerShell script.
# Importing the Sync PowerShell module
Import-Module C:\SyncSupport\SharePointSync.psm1 -Force
Start-SharePointSync -Confirm:$false
B - Go to Central administration and access the User Profile service application to see if we are seeing a healthy profile count. And Monitor the MIM Client for errors.
Once you complete a healthy full sync, you can schedule incremental job using the script below with a schedule task.
# Importing the Sync PowerShell module
Import-Module C:\SyncSupport\SharePointSync.psm1 -Force
Start-SharePointSync -Delta -Confirm:$false
Microsoft