Using Microsoft Identity Manger with SharePoint 2016 to fill the User Profile Sync Gap Max Fritz Senior Systems Consultant Now Micro

Max Fritz Senior Consultant MCSA Office 365, MCSE Productivity Founder/President of Minnesota Office 365 User Group Working with Office 365 for over 6 years Specialize in the Education & Government Industries Focus in Azure AD, Exchange, and SharePoint Online Contact Details Email : maxf@nowmicro.com Twitter : @TheCloudSherpa Blog: maxafritz.com LinkedIn : in/maxafritz

Agenda User Profile Sync Overview Microsoft Identity Manager Overview History Setup Configuration

What is (was) SharePoint User Profile Sync? A way for user properties to be synchronized to SharePoint from Active Directory (and back) Department, Description, Profile Picture, Phone, etc… Allows that information to be accessed within SharePoint, and synchronized back to active directory In 2010-2013, SharePoint uses a lightweight, built in, version of FIM One of the most frustrating services within SharePoint

What is Microsoft Identity Manager? Successor to Forefront Identity Manager Introduced in 2016 Manage the users, credentials, policies, and access within your organization Provide self service group management and user properties management through a web interface Synchronize identities across platforms Privileged Access Management for administrator accounts

History Lesson

SharePoint User Profile Sync History Import from AD SharePoint 2010 Built in FIM SharePoint 2013 AD Import SharePoint 2016

SharePoint User Profile Sync History 2010: SharePoint got together with FIM team Built a lightweight version of FIM for use in SharePoint Required a lot of maintenance Failed to start constantly All around frustrating SharePoint 2007 Import from AD SharePoint 2010 Built in FIM SharePoint 2013 AD Import SharePoint 2016

SharePoint User Profile Sync History 2013: Oops Built in FIM didn’t work so well Introduced AD Import Easier to configure and run Less features Kept Built in FIM as an option SharePoint 2007 Import from AD SharePoint 2010 Built in FIM SharePoint 2013 AD Import SharePoint 2016

SharePoint User Profile Sync History 2016: AD Import extremely popular in 2013 Led to the removal of Built in FIM completely Those who need FIM features can deploy MIM Easier to manage when it’s deployed separately SharePoint 2007 Import from AD SharePoint 2010 Built in FIM SharePoint 2013 AD Import SharePoint 2016

MIM vs Active Directory Import (ADI) With SharePoint 2013 or 2016 Pros Flexibility allows for customized import. Can be customized for bidirectional flow. Imports user profile photos automatically. Supports non-Active Directory LDAP sources. Multi-forest scenarios are supported. Very fast and performant. Known to be reliable (used by Office 365). Configurable inside of Central Administration. (Less complex.) Cons A separate MIM server is recommended for use with your SharePoint farm. The more customized the more complex the architecture, deployment, and management. Import is unidirectional (changes go from Active Directory to SharePoint Server Profile). Import from a single Active Directory forest only. Does not import user photos. Supports Active Directory LDAP only. Multi-forest scenarios are not supported.

Deploying MIM 2016 One of the more difficult tools to deploy from Microsoft They failed to take the “F” out of “FIM” Windows Server 2012 R2 or higher .NET 3.5 Requires a SQL 2012 SP2 or higher Can exist on the same server If on separate server, install SQL Server native client Can use a separate installation of SharePoint 2013 single server Must be installed on the same server Required to use the MIM portal (self service features)

Deploying MIM 2016 Version: Install MIM 2016 with Service Pack 1 Accounts Service Account for MIM Log on as a service and Run as a service permissions on the server (automatically assigned) (make sure they don’t get overwritten by a GPO!) Domain user for AD Connector Replicate Directory Changes, Create Child Objects, and Write all properties permissions Install Account SQL Server Admin & Local Admin on server

MIM Installation Demo Setup Service Accounts/Groups Add .NET 3.5 Install SQL Server Native Client Install MIM MIM Installation Demo

MIM Setup & Configuration Management Agents MIM uses Management Agents to connect to identity resources and endpoints We will need to use the built in Active Directory Management Agent (ADMA) and the downloadable SharePoint Management Agent (SPMA) Solution Files Available from GitHub Allows easy configuration of the SharePoint synchronization and Management Agent

What is synced by default from AD? name department description displayName givenName mail manager member thumbnailPhoto physicalDeliveryOfficeName msDS-PhoneticDisplayName msDS-PhoneticFirstName msDS-PhoneticLastName proxyAddresses telephoneNumber title wWWHomePage

01 02 03 04 Extra Configuration Filter users from AD Scheduling the synchronization 02 Determining user profile picture flow direction 03 Advanced/custom attribute sync 04

MIM & SharePoint Configuration Demo Install SPMA Configure SharePoint Configure SPMA and ADMA Test Sync Schedule Sync MIM & SharePoint Configuration Demo

Questions ?

Thank you! Please fill out the survey on your app Come ask me questions and stay in touch @theCloudSherpa