Azure AD PowerShell Managment Agent

Full Code on : https://github.com/islamkhattab/AzurePSMA
This is a custom MIM Managment agent to import Azure AD users using Msol module,users could be either Member or Guest (B2B), then send them back in SharePoint 2016 User Profiles
This agent is tested on the following scenario:
  • SharePoint 2016 On-Prem Farm (Aug 2017 PU) - With User Profile Service Configured and Syncronization Service Configured using MIM 2016
  • Azure AD with Guest (B2B) users added and immutible id set
Import PowerShell File Configurations
  • $usersType variable - 'All' for all user types, 'Member' for Azure AD Users and 'Guest' for B2B users
  • $restrictImmutableId - Imports only users with ImmutableId property set
  • $DebugFilePath - Outputs powershell messages
Import PowerShell File Changes
  • You can update the properties and mappings to fit your scenario
  • Any changes in the import.ps1 should reflect in the schema.ps1 file as well
User photos is still not implemented

Prerequisites

SharePoint Managment Agent installed and configured

Enable Msol on MIM Server

  • Install required software These steps are required once on your computer, not every time you connect. However, you'll likely need to install newer versions of the software periodically.
  1. Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.
  2. Install the 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell with these steps:
    1. Open the Azure Active Directory Connection web page.
    2. In Files in Download at the bottom of the page, click Download for the AdministrationConfig-V1.1.166.0-GA.msi file, and then install it.

Store Azure AD Global Admin in a secure file

Install The Granfeldt PowerShell Management Agent (MA)

AzureADPSMA Installation

Before Begining, Please first read How to create an AzureAD Microsoft Identity Manager Management Agent using the MS GraphAPI and Differential Queries, to get overview of the idea we are intoducing here as it is based on the same idea
  • Create a folder 'AzurePSADMA' for example that will contain mainly the following files
File NameDescription
Import.ps1The main import sequence script
azure.admin@yourdomain.onmicrosoft.com.credAzure Admin Cred file
Password.ps1Password PowerShell File, You must have a Password.ps1 file. Even though we’re not doing password management on this MA, the PS MA configuration requires a file for this field. The .ps1 doesn’t need to have any logic/script inside it. It just needs to be present
Export.ps1Export PowerShell File, You must have a Export.ps1 file. Even though we’re not doing Export on this MA, the PS MA configuration requires a file for this field. The .ps1 doesn’t need to have any logic/script inside it. It just needs to be present
Functions-PSStoredCredentials.ps1Creditial Manager
Schema.ps1The schema of the AzureADUser that will be imported to MIM
  • Management Agent Configuration
    • With the Granfeldt PowerShell Management Agent installed on your FIM/MIM Synchronisation Server, in the Synchronisation Server Manager select Create Management Agent and choose "PowerShell" from the list of Management Agents to create. As this example is for Users, I’ve named my MA accordingly "AzureADUsers"
    picture alt
    • For the schema script add your schema.ps1 file full path and the azure ad amdin account, the password will not be used from this screen as well use the stored cred file instead
    picture alt
    • Paths to the Import, Export and Password scripts. Note: the Export and Password PS1 scripts files exist but are empty.
    picture alt
    • Object Type as configured in the Schema.ps1 file.
    picture alt
    • Attributes as configured in the Schema.ps1 file
    picture alt
    • Anchor as per the Schema.ps1 file.
    picture alt
    • Project the output to person object
    picture alt
    • Configure Attribute flow
    picture alt
  • Add two Run Profiles to your Managment Agent [FullImport - FullSync], You can use any configurations as you needs this is just for the sake of the demo
picture alt
  • Run AzureADUsers MA Full Import Profile
  • Run AzureADUsers MA Full Sync Profile
  • Run SPMA MA Full Import Profile
  • Run SPMA MA Full Sync Profile
  • Run SPMA MA Export Profile

Verify the results

  • After a successfull AzureADUsers MA Full import run, you should find additions according to the users type found on Azure AD
picture alt
  • An example of user properties imported
picture alt
  • After AzureADUser MA Full Sync
picture alt
  • Azure User Profile
picture alt
  • SharePoint 2016 on-prem User Profile
picture alt