1. 6/24/ :40 AM
BRK4042
User profile synchronization with Identity Manager and SharePoint Server 2016
Spencer Harbar
Enterprise Architect
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Hello! Architect Edinburgh, United Kingdom|
Now working mostly with Azure & Data Centre related technologies…
....but there is no escape from SharePoint! 
Like most of us, I started with SharePoint, by “accident” nearly 20 years ago
Tries to avoid being sat at a computer
Makes photographs, climbs rocks, makes music, drinks whisky
Works with enterprise customers
Works with SP PG on futures and field readiness
MS Identity Management experience goes back to 1998 and Zoomit Via
experience with telecoms, airlines, government, financial services, defence, media, and Microsoft!

3. Agenda Identity Management 101 Importance of User Profiles
Profile Synchronization Options
Active Directory Import*
Microsoft Identity Manager
Architecture Overview
Configuration
Field Considerations
Demonstration
* Not extensive coverage due to time constraints

4. Identity Management and the importance of User Profiles
6/24/ :40 AM
Identity Management and the importance of User Profiles
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Importance of User Profiles
A SharePoint deployment means you ARE in the Identity Management business
Each version of SharePoint has increased dependency on User Profiles
Every Identity Management initiative, ever (and always)
Whether you like it or not!
Importance has increased significantly with each major release of SharePoint
A SharePoint Admin is an Identity Admin
Social features == social data
Key input into “AI” such as Delve
Pretty much every investment area relies on Profiles for core functionality
App AuthZ, S2S, etc
Primarily a political and social endeavor, NOT a technical one
No toolset from any vendor will solve this, they only help

6. Identity Management (“IdM”)
10% Technology
90%
Everything else!
“Step away from the keyboard…”

7. IdM Primary Considerations
Ego: IdM Consultant and Admin Egos
Protection of fiefdoms
Data Ownership
Data Quality
System Quality
Access Control
Privacy & Security
Who owns which data
Departmental controls
IS systems
Organizational culture
LCS: Legacy Corporation Syndrome
Is the data even there?
Is the data “clean”?
Is the data up to date?
Rate of change
e.g. Health of Active Directory
Too many forests and/or domains
Line of business systems
Ancient, creaking infrastructure
External (to SharePoint) data sources
Authentication and Authorization
User privacy & organization’s trustworthiness
Regulation and legislation IdM implementation will need far more security controls than the systems it interacts with Do NOT get into the profile data storage business!

8. Make friends with your DS admins!
Can make or break a large scale deployment
Regular communications is a must!
Change Control for pre-requisites
Especially when Active Directory is externally managed
e.g. Reboot of domain controllers, Windows Update
Large and/or bulk updates
Replicating Directory Changes
Additional rights for property export
Ensure that SharePoint practitioners are involved early, and are taken seriously (considered a “grown up at the table”) within identity community

9. Plan! Seriously, you MUST do this!
Think
Plan
Plan some more
Do a little more planning
Correct the mistakes in your earlier planning
Go back and do some more planning!

10. 90% everything else…

11. Profile Synchronization Options SharePoint 2016+
6/24/ :40 AM
Profile Synchronization Options SharePoint 2016+
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Synchronization “modes”: SharePoint 2013
Active Directory
ADI
(User Profile Service Instance)
SharePoint
UPS
(SharePoint FIM)
BCS
User Profile Service Application
LOB System ?
EIM
(External MIM)
Other Directory
EIM
(Custom Code)

13. Synchronization “modes”: SharePoint 2016
Active Directory
ADI
(User Profile Service Instance)
SharePoint
User Profile Service Application
LOB System ?
EIM
(External MIM)
Other Directory
EIM
(Custom Code)

14. UPS is dead Which is a good thing Reality Check
For the most part
Reality Check
many customers have a significant investment in UPS yester/today
we must wean them off their dependency! 
UPS actually offered a lot
customer benefit
“easier” than with MIM – a UI
Consider if replicating that is part of your project delivery (it shouldn’t be! )

15. Why remove UPS? User Profile Synchronization (UPS)
Embedded version of FIM that shipped with SharePoint
Code and UI in SharePoint to manage configuration
SharePoint Management Agent
Code from , unsustainable going forward
Limited feature capability compared to the current version of MIM
Legacy ECMAv1 Management Agent
SharePoint Online doesn’t use it

16. Active Directory Import
6/24/ :40 AM
Active Directory Import
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Active Directory Import
Get up and running as quickly as possible
Users and Groups
Multiple Domains
Simple
Quick
Easy
Fast
For the most common scenario
Active Directory only
Import Only!
Container selection
LDAP filters
Inclusion Based
One connection per domain
Basically, an LDAP query and updates to Profile properties

18. ADI in more detail
There isn’t time to cover both ADI and MIM in one session
Please see 2016 Ignite session for more about ADI
Bottom Line: ADI hasn’t changed functionally
Your best resources are SP2013 material on this topic
If ADI meets the customer needs, then please use it!
You can “extend” it with scripting for basic things
Be aware of the things that it cannot do and where it cannot be used
But that doesn’t automatically mean you need to deploy MIM
“ADI is perfect ,except it doesn’t import profile photos. What should we do?“
We will return to this example scenario later in the session

19. Microsoft Identity Manager
6/24/ :40 AM
Microsoft Identity Manager
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. Microsoft Identity Manager (MIM) 2016
The new name for Forefront Identity Manager
A suite of identity tools that runs on separate databases and machines from SharePoint Farm
Market leading, enterprise identity management toolkit
MIM Synchronization Service (MIM Sync)
One component of MIM
No additional license cost for SharePoint 2016 customers
Only applies to the Synchronization Service
Other components must be additionally licensed
SharePoint Connector
Freely downloadable Management Agent for SharePoint
Connector is the new name for Management Agent

21. Microsoft Identity Manager
Image Credit:
David Steadman

22. MIM Sync (licensed with SharePoint 2016)
Image Credit:
David Steadman

23. The “Why MIM?” Pitch Remove UPS BCM from SharePoint
No synchronization database to manage
Remove UPS BCM from SharePoint
But you still need to deal with BCM for MIM Sync!
Build powerful, complete global identity solutions
Leverage all MIM Management Agents
Actual Synchronization
Use existing MIM investment, expertise, and infrastructure
Although having them is rare!
Address common aspects of core enterprise identity
E.g. Active Directory may not be the master source of identity within the enterprise

24. MIM Sync Fundamentals MIM is a state based metadirectory
No agents are required on source systems
Operates, in general, under the principle of confirming receipts
Connector Space
Each connected system has a connector space which stores a representation of the data in those systems
Metaverse
Is the consolidated identity information from all connected systems
Management Agents
Push data to/from source system to connector space and metaverse.
potentially manipulate that data
Now called, “Connectors”
It’s had more name changes that SharePoint! 
Zoomit Via -> MMS -> MIIS -> ILM -> FIM -> MIM, plus Dirsync, Azure AD Connect etc

25. MIMSync “Toolkit” A solution sample A PowerShell Module which:
designed to allow SharePoint customers to get up and running quickly
For the most common scenario: Active Directory -> SharePoint
Effectively replicates SharePoint 2013 UPS capability
Property Mappings and basic sync operations
Originally the idea was that this tool would “migrate” 2013 configuration, it does not!
Hosted in the PnP Tools Github:
A PowerShell Module which:
Imports and configures Metaverse and Management Agents from exported sample configuration
Provides PowerShell cmdlets for sync operations
Deploys provisioning code (a Rules Extension)
There is no requirement to use the MIMSync Toolkit!
But we need the rules extension, or one we write ourselves

26. “Classic” Provisioning
Configuration using MIM Sync only
Is known as non-declarative “Classic” synchronization, or classic provisioning
As opposed to Declarative Provisioning
the preferred approach to mapping identity within the MIM Portal, it’s workflow and so forth
Of course, one can deploy MIM Portal and use declarative for many things, however at extra licensing and skills cost
We cannot remove classic provisioning entirely
SharePoint requires “legacy” join and projection rules
Rules Extension deals with
Legacy “Anchor”
Join and projection rules
User Profile schema “oddities” – basically making sure the profile is created correctly
Beware: Rules Extension has a hard coded MA name

27. Basic Deployment Steps
Learn about MIM Sync
Complete a planning worksheet in Excel or similar of your requirements!
Install Microsoft Identity Manager Synchronization Service & SharePoint Connector
Create Management Agent Accounts
AD requires Replicating Directory Changes on Domain(s) and Configuration Partition
SharePoint requires Farm Administrator
Configure SharePoint UPA and My Site Host
UPA: NetBIOSDomainNamesEnabled = $true & NoIlmUsed = $False (Use External Identity Manager)
Permission Policy and User Policy for SharePoint MA Account on the My Site Web Application
Use MIMSync Toolkit to configure AD and SharePoint Management Agents*
Fix up Management Agent configuration
Configure additional properties, filters
Perform Sync Runs
Update-SPProfilePhotoStore
Schedule Sync Runs
* In a development environment,
then use PowerShell and MA export/import to deploy to production

28. Demo: Identity Manager & SharePoint 2016

29. Demo Recap Demo 0: Demo 1: Overview of SP2013 UPS and BCS scenario
Common customer deployment
Demo 1:
Configuring Pre-requisites for MIM Sync
Use External Identity Manager
NetBIOSDomainNames
Replicating Directory Changes for the AD MA
Farm Administrator for the SP MA
My Site Host Web Application Permission Policy and User Policy
Using the MIM Toolkit to setup basic AD import
Addition of properties and filters
Synchronization operations
Dealing with Profile Photo from AD thumbnailPhoto
Update-SPProfilePhotoStore

30. Demo Recap Demo 2: Additional properties from LOB system
using SQL MA
Creating new SharePoint Profile properties
Creating additional Metaverse attributes
Configuring attribute flow
Multi-value data
Export to SharePoint
Refining Synchronization operations
Dealing with errors and mistakes (mostly mistakes!)

31. Pointy Clicky! A whole lotta pointing and clicking!
Very easy to make mistakes and get lost
We must have that planning spreadsheet to be successful
Automation is done after we have the setup we desire in development environment

32. Important Notes Profile Pictures Use EIM option
if you are importing as binary data, you must have the correct policy on the Web Application hosting My Site root Site Collection
Picture export From SharePoint to AD User object  is not yet implemented in the SharePoint Connector
The option is there, but it doesn’t do anything
Use EIM option
Get SharePoint 2016 up to date with a recent PU
Otherwise be aware of the problems with this option
You should not select the option, and must ensure no ADI Synchronization Connections are created
Manager and other reference data types will have problems (Manager population, Audience compilation etc)
Fixed with KB
Switching modes in production requires additional steps

33. Spence’s Recommended Current Builds
SharePoint 2016: whatever the latest PU is. Seriously!
If customer is not able to stay up to date with build cadence, they shouldn’t be running SharePoint 2016!
ZDP and patch quality vastly improves the story from previous releases
We ship some updates as Windows Update
Stay up to date with SharePoint builds:
Identity Manager 2016: Service Pack 1 ( )
There is NO good reason to still be on an earlier build
Brings in place b2b upgrade
Adds support for Always On
Stay up to date with MIM builds:

34. Simple is always best
“ADI is perfect, except it doesn’t import profile photos. What should we do?“
Would we deploy that new infrastructure and do all that work for just ADI plus photos?
No.
We can read the thumbnailPhoto attribute and write it to the profile store
in a half dozen lines of PowerShell
and set that up as a Scheduled Task on the SharePoint boxes
No MIM, very little cost
Thus the answer is, “use ADI and some PowerShell to deal with photos”
Consider requirements before choosing the synchronization mode!

35. Field Reality
Customer with large existing FIM deployment is unlikely to upgrade to MIM solely to use the SharePoint Connector
Upgrading a running and working FIM in a large corporation is an extremely big and risky decision!
The current connector is only officially supported on MIM. FIM 2010 R2 needs the old connector
Customer who doesn’t use FIM/MIM today needs to understand the additional infrastructure investment
VMs, SQL, Skills
Everything I’ve shown you works with SharePoint 2013
However, the “Use EIM option” issues are NOT fixed
Business Continuity Management for FIM could potentially now be your problem
Latest release brings Always On Recovery Group Support
FIM Sync HA basically means failover clustering
Latest release allows in place b2b upgrade
Upgrade (from UPS to MIM)
There isn’t any. Period!
You will have to configure MIM to deliver the same functionality
And make some decisions
Just as we saw in the demo

36. Wrap Up

37. Summary Leverage Active Directory Import if it meets customer needs
Extremely fast, reliable and efficient
For other scenarios, Microsoft Identity Manager is the most capable toolset on the market
However a significant “skill up” required
Consider other approaches for “middle ground” requirements
e.g. PowerShell, Custom Code for Profile Picture Import
3rd Party toolsets, such as Hyperfish
Understanding SharePoint Profile Store, APIs and jobs is still very important
And always remember…. Plan, plan, plan!
“Identity is the primary key to a successful SharePoint deployment”

38. Toolkit Update
Since initial release the toolkit has not seen active contribution
Customer frustration
Miss-set expectations
As of May, Spence will be the “custodian” of the bits
Maintain the module, rules extension and sample configurations
Conduit for fixes to SharePoint and/or the SharePoint Connector
Providing new/updated documentation
Will remain part of the SharePoint / PnP-Tools repository on Github
Will use the same approach to contribution as the rest of the PnP-Tools

39. Toolkit Update What will we be doing:
Fixing genuine “bugs” such as version detection, container selection
Addressing things that UPS did that the toolkit does not
e.g. missing properties, filtering
Updating documentation
Providing new documentation for non AD only scenarios
Listening to customer feedback
Commitment to the model, and addressing bugs within component systems
SharePoint Profile APIs
SharePoint Connector
What will we not be doing (at least in the short term)
Re-architecting it to be all things to all customers
Providing a User Interface for configuration
Promoting the deployment of other MIM components (e.g. Service & Portal)

40. Resources Many FIM/MIM related posts over at http://www.harbar.net
Recently Published:
Arch Overview:
Deployment Considerations:
Needs considerable updates (happening soon!)
Install:
Using the sample:
Watch out for dubious and or semi accurate guidance
Discusses the SP MA config from a FIM perspective, but doesn’t detail many important considerations
The best comprehensive material at present is the old docs for the “old” MA:
Generally speaking you will get more sense from a MIM person than a SharePoint one (on this subject) but the MIM person is often entirely ignorant of User Profile Service and it’s quirks
Learn the FIM/MIM lingo - *nobody* calls a Management Agent a Connector!
Great book, but covers the whole product, with not much detail on MIM Sync / Classic provisioning

42. Please evaluate this session
Tech Ready 15
6/24/2018
Please evaluate this session
From your
Please expand notes window at bottom of slide and read. Then Delete this text box.
PC or tablet: visit MyIgnite
Phone: download and use the Microsoft Ignite mobile app
Your input is important!
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43. 6/24/ :40 AM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.