Overview & Setup of MIM Configuration as External Identity Manager in SharePoint 2016


Previous versions of SharePoint Server had a built-in copy of ForeFront Identity Manager (FIM) that ran inside SharePoint Server. That version of FIM powered the User Profile Synchronization for products like SharePoint Server 2010 and SharePoint Server 2013. But in SharePoint Server 2016, FIM has been removed in favor of Microsoft Identity Manager, which is the successor to the FIM technology. MIM is a separate server technology (not built-in to SharePoint Server). That means, if you have MIM running in your company, more than one SharePoint Server 2016 farm can rely upon it.  

In this blog I will talk about various  things  you need to follow to setup the MIM as External Identity Manager  for User Profile  Service Application .  The  2 Scenarios to setup UPA in 2016 would be

1. Upgrade  from  SharePoint 2013  Environment :

 If you need  to Migrate the existing User Profile data  to new SharePoint 2016 Environment , You can take The Backup of Profile Database & Social Database to create a New UPA in 2016 . There is no option to  Export  the Existing  FIM configuration  & import to MIM .   You would need to  setup a  New MIM installation &  follow the  Steps as provided  for  New Setup Configuration below .  Additional configuration will be required to  setup the existing Custom Property  Mappings , which  is also talked about Later in this article .

Note :The  Solution /Documentation provided  at GitHub site regarding upgrade scenario is obsolete  &  we are in the  process to update the same .

2. Fresh Installation of  User Profile Service Application using External Identity Manager ( MIM)

Please refer to the Links  below for  steps to Install , Deploy & Configure  MIM solution in SharePoint 2016 Post you have created

Install Microsoft Identity Manager for User Profiles in SharePoint Server 2016

Deploy a new Microsoft Identity Management (MIM) server for User Profile Sync in SharePoint 2016

MIM 2016 with SharePoint 2016 User Profile service: Import Custom Property from Active Directory

 

Additional Points  to Keep in Mind  before you Migrate  & Setup an External Identity Manager

 1. Always  use the Sync Setting in UPA  as "Active Directory Import " even if you plan to use an  External Identity Manager (MIM or Something else for that sake )  for Sync , due to  Known issues of Manager  & Audience Compilation Documented Here

2. If you  switch  between Active Directory Import / External Identity Manager  post initial configuration , Additional Steps may  be required for Sync to Work , Documented Here

3. Current Configuration of MIM supports  one way Sync from AD to  SharePoint .

4. The Scenario of  Picture export From SharePoint to  AD User object  is still not implemented as yet , So you would need Plan   around this before migrating .

5. There is no option  for BCS Integration to Augment additional Profile Properties as in SharePoint 2013 , This has to be natively dealt  via the options /Connectors which the  MIM solution provides  for Integration .

6. Although the Sync DB is provisioned in UPA Service application in 2016 , it is  not used & there just for  Compatibility reasons .  MIM Installation has its own  implementation of Sync DB managed separately outside if SharePoint.

7. You do not need to Start the Synchronization service  in the  SharePoint 2016 Farm at all , although it is still available .

8. You can create new User properties in UPA , however , the mappings can  no longer be performed in SharePoint .The mappings are now performed using the MIM’s MIISClient.exe utility

9. When you use External Identity Manager , you should enable the NetBIOSDomainNamesEnabled property on the UPA service application as soon as you create it to support scenarios where your domain’s NetBIOS name differs from domain’s FQDN name.

 

Post By : Rajan Kapoor [MSFT]

 

 

 


Comments (7)

  1. Mohammed Hussain says:

    I managed to installed and configure MIM 2016 successfully and upgraded the user profile service app from SharePoint 2013 UPS databases(Profile and Social). So far everything seems to be working but the profiles of disabled users in AD are not getting deleted from SharePoint UPS with either full/delta sync in SP 2016. I have the exclusion filter applied on user object “userAccountControl bit on equals 2” in ADMA but still it doesn’t seems to be removing disabled users.

    Am I missing any configuration especially when dealing with upgraded profile and social DBs in SP 2016. Your help is much appreciated.

    1. Spses says:

      Hi Mohammed,
      We do not see any such issues raised so far and a quick test in our test farm shows that the user is getting marked as 1 for bdeleted value. However in 2016 , the profiles will not be deleted immediately after the Mysitecleanup job is executed. The items will be updated in UserProfilesScheduledforRemoval table and you can see when the items will be cleared / deleted.
      A couple of points that you could verify here
      1. Make sure that the OU where the user is placed, is marked for sync
      2. Make sure that the AD doesn't have Recycle bin feature enabled , if so we will need to apply an extra connection filter.

      ref: https://social.technet.microsoft.com/wiki/contents/articles/33819.sharepoint-2016-user-profile-service-and-mim-apply-the-connection-filter.aspx
      Please feel free to create a support case if you wish us to review and troubleshoot the issue at your end.

      1. MP says:

        Hi ,
        I am seeing exactly same issue as Mohammed. e have environment running SharePoint 2016 using MIM . I have already configured ADMA connection filter to exclude userAccountControl Bit on equals 0x2 .
        However accounts are not getting marked for deletion after running Full import and I can still see disabled /terminated accounts in User Profile . Everything else e.g add, update is working.

        1. Spses says:

          Hi,
          there are some issues that we are currently working for deleting the profiles that are marked as deleted (bdeleted=1) . If your issue is a user is not even getting marked as bdeleted = 1 , then we will need to confirm the following
          1. Make sure that the OU where the user is placed, is marked for sync .In other words , the user that you are testing may be a nonimported user. If so please run set-spprofileserviceapplication command with -purgenonimportedobjects as $true.
          2. Make sure that the AD doesn’t have Recycle bin feature enabled , if so we will need to apply an extra connection filter. (isdeleted ). The filter userAccountControl Bit on equals 0x2 is only for disabled users and deleted users are handled internally.

  2. Velu says:

    Is it necessary to plan for MIM in SharePoint 2016 or it will work as before without install the MIM by default!

    1. Spses says:

      Hi Velu,
      Sharepoint 2016 User profile sync works in 2 modes , one is the ADimport mode (similar to SP 2013) and External MIM integrated mode. If you want to use MIM integrated mode , you will need to install it separately , it doesn't get installed along with Sharepoint Product installation. Adimport has some limitations , please refer : https://technet.microsoft.com/en-us/library/jj219646.aspx

Skip to main content