automatic execution of Run Profiles in MIM 2016 PowerShell [Full Guide]


Microsoft-MIM-2016


I suggest you see today how automate the execution of tasks import / export and synchronization in MIM 2016 in PowerShell


Step. 1 – Background and prerequisites


for this you must have a functional MIM facility. My use case is the following: I have of 2 Management Agent . Each source is connected to an Active Directory. My goal is to read the AD and some ADUsers, ADGROUPS create associated contacts I then exports in other AD Sources based on specific criteria and with a specific naming convention ( practice is to populate different LAGs on specific criteria ).


so I have my 2 Management Agents ready to run ( with very precise rules at import , and projection of join rules as well as the flow attributes ).


2016-03-26_13h20_59


and I have the following execution profiles :


2016-03-26_13h23_45


  • DELTA_IMPORT

  • DELTA_SYNC

  • EXPORT

  • FULL_IMPORT

  • FULL_SYNC

Ces 5 profiles allow me to define two operating scenarios:


  1. Scenario told Weekly / weekend : This is the heaviest scenario that will run 1 to week Succession ‘following: FULL_IMPORT, FULL_SYNC, EXPORT . This is a scenario that can be quite heavy ( by volume information in AD Sources ) since it performs all actions from 0: is any re-ALL AD and re-performs ALL synchronization. In this mode there are new accounts all analyzed and pass through all the rules of provisioning

  2. Scenario told Daily . This is a lighter scenario that only performs a delta operations that have not yet been executed. It is a lighter script that can be run on weekdays. He successively perform the following profiles: DELTA_IMPORT, then DELTA_SYNC EXPORT.

2016-03-26_13h23_45


L’objectif now is to translate the performance of these 2 scenarios PowerShell . So finally, we must create a script that will be able to call the execution of each Management Agent 1 with different profile . And ‘successive call an MA 3 with desired profiles , then allows us to translate the scenario daily or weekly:


  • Scenario Daily:
    • Foreach MA
      • Call MA n with Profile DELTA_IMPORT


    • Foreach MA :
      • Call MA n with Profile DELTA_SYNC


    • Foreach MA
      • Call MA n with Profile EXPORT



  • Scenario Weekly:
    • Foreach MA
      • Call MA n with Profile FULL_IMPORT


    • Foreach MA
      • Call MA n with Profile FULL_SYNC


    • Foreach MA
      • Call MA n with Profile EXPORT



Step 2 – PowerShell: check that no MA is running


We will start preparing a feature that will allow us to check if we have not already a running Management Agent . This is to produce errors by calling several times the same MA or attempting to start running a Profile when there are already one running.


Check-IfMAisRunning function () $ MIMHistory = get-wmiobject -Class 'MIIS_RunHistory' -nameSpace "root MicrosoftIdentityIntegrationServer" [bool] $ MaRunning = $ false  foreach ($ object in $ MIMHistory)  if ($ object.RunStatus -eq "in-progress" -or $ object.RunStatus -eq "stopping")  $ MaRunning = $ true Break   return $ MaRunning

There are various error codes in MIM that can indicate many things like including an inability to connect to data sources (AD not available, wrong login / pwd …) but overall you will have 2 status which can translate a Management Agent is running: in-progress (running) or stopping (shutting down after manual stop requested by user).


in thus recovering the historical performances of MIM, we can see what are the different execution status $ MIMHistory.RunStatus and returns True if it is seen that MA is already underway execution. And the following WMI class MIIS_RunHistory recovers MA executions of history in the same way that we can see graphically in the console in the tab Operations.


2016-03-26_14h09_33


Etape 3 – PowerShell: Function allowing you to run an MA with 1 profile of execution given


We will now create a function that will allow us to call running a MA with a given profile [


$ ProfilesAllowed = @ ( "FULL_IMPORT", "FULL_SYNC", "DELTA_IMPORT", "DELTA_SYNC", "EXPORT")Launch-ManagementAgent function () param ( [parameter(mandatory=$true)] [string] $ AskedManagementAgent,  [parameter(mandatory=$true)] [string] $ Profile ) # Check if no MA is Currently running - Otherwise, we break $ IsMARunning = Check-IfMAisRunning if ($ isMARunning -eq $ true)  Write-Host "[ERROR] - One MA is Currently running - Please wait every MA are stopped before try trying to launch Reviews another - Exiting" Break   # Check if the profile requested exist - Otherwise, we break $ = $ IsThisProfileExist ProfilesAllowed.Contains ($ Profile) if ($ isThisProfileExist true $ -do)  Write-Host "[ERROR] - Only the following Profiles are supported: FULL_IMPORT, FULL_SYNC, DELTA_IMPORT, DELTA_SYNC, EXPORT" Break  # Getting the requested object MA MA = $ get-wmiobject -class "MIIS_ManagementAgent" -nameSpace "root MicrosoftIdentityIntegrationServer" -computername $ MIMComputer 

The comments are a priori clear enough but back on the details of this function. The objective is:


  • I have a classic table allows me to store the types of profiles that are allowed to be executed ( tune to your case so )

  • the function takes parameter the name of the Management Agent and the profile to execute

  • then carried out the following checks:
    • we check that we do not already have a MA running (with the previous function),

    • is checked that MA and requested profile do exist

    • the appeal of the class WMI MIIS_ManagementAgent provides a list of available MA ( and so for us to check that the requested MA exists bien),


2016-03-26_14h19_56


  • Si all the conditions are met, it runs the Management Agent and measured the execution time ( the script version presented in this article is a little refined the fact that in real situation, I log more things ).

this gives the output below the MA is made right with the desired profile. We have the total time and we know that it was a success.


2016-03-26_14h26_15


Dans this example, I chose to Break the slightest problem. But feel free to throw or make a log or a lift to the user depending on the problems you might encounter in your use case.


Stage 4 – PowerShell: creating a function to manage our two scenarios: Weekly / Daily


we have to create a function to successively called MA with desired profiles based on cases.


$ MIMMAList = get-wmiobject -class "MIIS_ManagementAgent" -nameSpace "root MicrosoftIdentityIntegrationServer" -computername $ MIMComputer | where $ _. Type -eq 'Active Directory'LaunchScenario function () param ( [parameter(mandatory=$true)] [string] $ Scenario ) Allma $ = $ MIMMAList $ Results = @ () switch ($ Scenario)  'Weekly'  Write-Host "[DEBUG] - Weekly lauching scenario - Composed of: FULL_IMPORT FULL_SYNC + + EXPORT" # Full_Import for all MA foreach ($ in my $ ALLMA)  Launch-ManagementAgent -AskedManagementAgent $ ma.name -profile "FULL_IMPORT"  # Full_Sync for all MA foreach ($ in my $ ALLMA)  Launch-ManagementAgent -AskedManagementAgent $ ma.name -profile "FULL_SYNC"  # Export for all MA foreach ($ in my $ ALLMA)  Launch-ManagementAgent -AskedManagementAgent $ ma.name -profile "EXPORT"   'Daily'  Write-Host "[DEBUG] - Daily lauching scenario - Composed of: DELTA_IMPORT DELTA_SYNC + + EXPORT" # Delta_Import for all MA foreach ($ in my $ ALLMA)  Launch-ManagementAgent -AskedManagementAgent $ ma.name -profile "DELTA_IMPORT"  # Delta_Sync for all MA foreach ($ in my $ ALLMA)  Launch-ManagementAgent -AskedManagementAgent $ ma.name -profile "DELTA_SYNC"  # Export for all MA foreach ($ in my $ ALLMA)  Launch-ManagementAgent -AskedManagementAgent $ ma.name -profile "EXPORT"    # End of Switch

The latter function will in setting the name of the desired scenario and according to the latter, we will execute each successive management agent with the profile desired corresponding to the requested script.


so we now call the function with LaunchScenario -Scenario daily . We have the following return:


2016-03-26_14h53_36


therefore goes well the script runs as desired for each MA / profile given. One can also check the MIM in the console:


2016-03-26_15h15_10


Step 5 – Schedule automatic script execution


This is finish for strictly speaking script. You can now go further in scheduling the automatic execution of this script according to your needs. Or with a specific orchestrator or directly from the tool scheduled tasks available in Windows Server. . For this, I invite you to visit this link


The entire script is available for download:


No comments:

Powered by Blogger.