FIMService: Convert Static Group to Dynamic

Following from my previous post on how to create a group with both static members and dynamic filter, I came across a scenario where post migration we have some customers who initially had a group with explicit members but we thought they could be converted to a filter based group which matches the business case.

The script below helps you on doing the same. Again using LithnetRMA for the process.

Warning: Again, many custom attributes logic in FIMService for my environment but again you will get the whole idea. I have left the script as-is and not dumbed it down.

Please read my Groups with Static and Dynamic Members in FIMService post to understand the logic I have been applying for Autogen groups and how group and set tie up to each other in FIMService.


  • Asks for existing group name (DisplayName) in FIMService.
  • If found, outputs the number of explicit members found
  • Asks if you want to put a filter on the group and then asks for the XPATH filter (coming soon on how to create XPATH easily)
  • Checks if the filter is valid. If so (the fun part)
    • Outputs the count of users in the new filter
    • Compares the filter users to explicit members and gives a count of
      • New members to be added due to filter (i.e. not found in the explicit members list)
      • Count of common members found between existing explicit members and XPATH
      • Finally gives count of explicit members for the new set to be created (i.e. not found in the new filter).
  • Finally if the user wants to continue after above information
    • Creates a set with “Autogen-GroupName” and set the filter and explicit members to that
    • Modify’s existing group and deletes the current explicit members
    • Converts the existing group to a filter based and sets the objectID of the set created above.
  • Done

Hope it helps.. Please like, share or leave a comment below..

Groups with Static and Dynamic Members in FIMService

We had a business case whereby a filter couldn’t really create groups which catered for the purpose. We also needed to put in some static members (Explicit Members) in it.

Now by default a /Group in FIMService can either be Explicit or a Filter type group. But a Set allows you to have an explicit as well as filter on it.

WARNING: Many custom attributes are used for our purpose but you hopefully will get the gist of it


So came up with a design for such groups (we identify them by Autogen and have an attribute called accountType)

  • Create a Set with Autogen-{GroupName} with an accountType = AutogenSet
  • Set the filter and explicit members needed on the set
  • Create a filter group with Autogen-{GroupName} with an accountType = AutogenGroup
  • Put the ResourceID of the new group in the set to an attribute called ‘connectedGroupObjectID’ and viceversa to ‘connectedSetObjectID’ – This it have relation between the group and set
  • Set the filter on this group as


  • Create a auth workflow with delete resource and target =  [//Target/connectedSetObjectID]
  • Create a set which has ‘All Autogen Groups’
  • Create a MPR which ties the above i.e. when a delete resource happens for any in set ‘All Autogen Groups’ then run the Auth workflow which will delete the set as well


Wrote a script so that these groups, sets and links can be created in one go using FIM/MIM Service Powershell Module.


  • I assume user already knows the XPATH for his filter (Will help you on how to create it easily as well in a post coming soon).
  • Many custom attributes have been used in FIMService but you get the bigger picture and not necessarily needed for your environment.
  • I am really bad at powershell so don’t be surprised if you see some ‘what the hell did he do that for?’ moment 🙂 You will definitely find mistakes but hey.. works for me.. Still please point it out 🙂


This script was written by me quite specific for our environment and therefore contains a lot of custom attributes and logic. This is just to give an idea what we do / can do with the idea. I have decided not to dumb it down and present it as-is. If you get confused somewhere please do contact me or leave a comment

  • Asks for DisplayName (Mandatory)
  • Asks for a requestedAccountName (Mandatory in our env to generate sAMAccountName and AccountName)
  • Asks for a owner AccountName / uid (Mandatory in our environment to set as the owner of the group)
  • Asks if the Group will have a mail address (if so then we populate some additional attributes to provision to GoogleApps)
    • If Mail Enabled then asks for some additional attributes to be set like
      • Mail Prefix (to generate the mail address)
      • Posting Permission
      • To be hidden from Global Address List or not
      • Is it going to be used as a Security Group in AD (sets as Distribution else as MailEnabledSecurity)
    • If not then sets it as a Security Group
  • Asks for the XPATH Filter – then it goes and checks if it’s correct and does return some users back else exists.
  • Creates the Set and adds the above filter to it
  • Creates the Group
    • Sets the filter pointing to the set above
  • Links the two
  • Done

The only thing it doesn’t do is setting explicit members to the set which is done manually after creation.


To the sync side you will simply see one Group come out with Member attribute containing both ExplicitMembers and ComputedMembers and a combination.

Hope this helps someone in their “complex business” environment.

Composite write back to FIMService via Powershell

So if you have a large number of objects to update in FIMService it could be complicated..

Lithnet FIM/MIM Powershell Module makes it so much simpler..

Below is a script I used to say update all accounts which have “accountType” = oldaccounts and set “accountBlocked” to true (my custom schema).

Some explanations

  • I have set PageSize = 100 which means if you are returning more than that number process only 100 at a time..
  • I have set “-AttributesToGet” which gives me only the attribute what I want

See how easy is that? You can do multiple operations before save-resource and thus do a bunch of changes to say 1000 users and in 10 saves it will be done!!!

PS: As you can see its simple for demonstration and not doing any error handling etc..

Scheduling Syncs for ADConnect Maintenance

We have loads of objects in our AD / Azure AD.. we believe doing regular Full Imports and Full Syncs for all the MA’s is a good way to make sure Sync engine is healthy.

Had recently visited #MSAUIGNITE 2017 in Gold Coast, Australia and SME’s there suggested Full Sync is not needed in environments unless there has been a connector change.. But I disagree and consider ADConnect as Microsoft Identity Manager (MIM / FIM) and by experience we have seen a good healthy sync engine we should do FI / FS for maintenance.

After doing some initial sync timings, found our FI from Azure took 9 hrs and FS took about 2 hrs. Likewise from AD FI took 1 hr and FS took 2 hrs.

Decided we wanted to schedule each FI and FS to make sure sync engine is all caught up out of business hours.


  • The MA is called “AzureAD”
  • Run Profile Name is called “Full Import”

Do the following on our ADConnect Sync Box

  • Create a powershell script with the following code and save it as “AzureFI.ps1” at a location say D:\SyncScript

  • Create a task scheduler and run as the same user which runs the sync engine.
  • Schedule it once a week / month as per your requirement. As per your initial tests, you can schedule it out of business hours say 10pm and by morning it is finished.
  • For action
    • Action: Start a Program
    • Program/Script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • Argument: -ExecutionPolicy Bypass -File “D:\SyncScript\AzureFI.ps1”

That’s it!!! You can create similar scripts and change ConnectorName / RunProfileName and create tasks for each at particular times.

You will have a healthy sync engine for ADConnect.