MIM 2016: New hotfix rollup build available


Yesterday Microsoft released an important Hotfix rollup package for MIM 2016 SP1, the build number is

InfoHotfix rollup package (build is available for Microsoft Identity Manager 2016 Service Pack 1

DownloadUpdate for Microsoft Identity Manager 2016 SP1 (KB4469694)

The main issue fixed is the following:

After installing MIM build or, the ma-data objects are deleted and not recreated in the FIMService, causing all synchronization rules to fail.  After installing this update, this problem no longer happens.

Both builds causing the issue are still listed but not available for download any more. But if you installed one of the above hotfixes I highly recommend to update to the lastest hotfix.

The issue was also discussed here: MIM Portal Sync Rules have become orphaned


Azure PIM: Internal Server Error (500) using PIM Graph API

Azure Active Directory_COLOR

I have some implementation where I created a MIM PowerShell Connector for Azure PIM (Privileged Identity Management. This Connector imports on-Premises AD groups and transfers the members to Azure PIM role assignments.

A couple of days ago the scripts of that connector throw errors in my implementation as well as at a customer.

I tried to reach the following endpoints in Graph Explorer and even there I get an error:

Graph Explorer states the following error:

  "error": {
    "code": "UnknownError",
    "message": "{"message":"An error has occurred."}",
  "innerError": {
    "request-id": "16e184f8-86cb-4424-abff-4fd3ac4a010e",
    "date": "2018-11-12T12:40:15"

While PowerShell throws an Internal Server Error (500) Continue reading “Azure PIM: Internal Server Error (500) using PIM Graph API”

MIM 2016 sync rules become orphaned (broken) after update to


After I upgraded my MIM 2016 test lab to hotfix build I recognized that the MIM portal sync rules became orphaned (broken) when I let them all recreate by setting the password on the MIMService MA again.

Some users also reported that in the following FIM/MIM TechNet Forum post: https://social.technet.microsoft.com/Forums/en-US/e0e6e2db-46e1-4638-bdfb-4436b8f53ae1/mim-portal-sync-rules-have-become-orphaned?forum=ilm2

I already answered there with some points that I found out while debugging the issue.

Like the guy in the forum I also tried to update to the latest hotfix but that does not solve the issue, and it might be possible that you also run into this issue when only applying

The error is like following:

Continue reading “MIM 2016 sync rules become orphaned (broken) after update to”

Azure AD B2B Guest User Housekeeping Solution with MIM2016

It is quite easy in these modern times to invite and therefore add B2B guest users into your Azure AD tenant. Not only administrators but also users can simply invite any user of the world that has a valid email address (depending of the settings of your tenant).

While simply invite them, guest users will not have any permissions (beside login) to any resource of your tenant until permissions are assigned to them.

But a good identity management solution does not only care of creating identities but also remove them when no longer needed. Azure AD currently at time of writing this article does not provide any mechanism to get rid of unused guest accounts, it even does not provide a proper way to identity them.

There is no “LastLogin” attribute you can for example use, so you need to find the person who invited that guest and talk to him if it is still needed.

This is where my Azure AD B2B guest user “Housekeeping” solution can maybe help you. It provides a way to set your own “LastLogin” attribute on guest account and even track pending invitations and removes guest accounts after a defined time.

So how does it work:

  • Create an extension attribute to store the “LastLogin” as a DateTime
  • Import the Azure AD sign-in logs by MIM2016 with a PowerShell MA leveraging MS Graph Reporting API
  • Import B2B users by MIM with a PowerShell MA leveraging the AAD PowerShell Module V2 cmdlets
  • Aggregate sign-in logs to only get the newest login of a user
  • Set the extension attribute of those accounts and export it to AAD
  • Delete accounts after some time defined by an XML configuration file

Continue reading “Azure AD B2B Guest User Housekeeping Solution with MIM2016”

Reblog: Automating Azure AD B2B Guest Invitations using Microsoft Identity Manager

Since a lot of visitors like my posts around Azure AD B2B (in fact is is the most popular post) watch out the great article from Darren ‘Doc’ Robinson about:
Automating Azure AD B2B Guest Invitations using Microsoft Identity Manager




New version of MIMConfigDocumenter (Build 1.18.0824.0) available

A new version of the very helpful FIM/MIM Configuration Documenter is available.

You can get ist from the GitHub repo: https://github.com/Microsoft/MIMConfigDocumenter/releases

Beside some fixes there are also some significant performance improvements:


  • Performance improvements. The configuration report should get generated much more quickly now.
  • Fixed an issue where a configuration setting did not render correctly if it had html markup characters.

You can find the requirements and instructions for usage in the projects Wiki page.

Hotfix rollup package is available for MIM 2016 SP1 (Build

A large new hotfix rollup package is available for Microsoft Identity Manager 2016 SP1 (MIM 2016).

It has a lot of fixes and enhancements in it. Build Version is

Hotfix rollup package (build is available for Microsoft Identity Manager 2016 SP1

You can download it from here.

Continue reading “Hotfix rollup package is available for MIM 2016 SP1 (Build”